New York Cybersecurity regulations are here.
The 23 NYCRR 500, or NYC500, is First-in-the-Nation Cybersecurity regulation requiring New York businessesto design a program to address and assess their unique risk profiles starting March 1, 2017.
This regulation applies to every business operating in NY and required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under banking, insurance or financial services law.
While these regulations are similar in many ways to existing cybersecurity guidelines, the NYC500 takes things a step further. Outside counsel, accountants, IT firms and other Third Party Service Providers (3PSPs) must also implement policies and procedure to ensure the security of Information Systems and Non Public Information.
Covered entities and their 3PSPs must establish:
A comprehensive Cybersecurity program that performs the 6 core cybersecurity functions
An organization must protect the confidentiality, integrity and availability of its information systems. In order to accomplish this, firms must establish a Cybersecurity program that is able to effectively identify, defend against, detect, respond to, recover and report Cyber Threats.
A comprehensive Cybersecurity policy that addresses 14 specific areas
Every organization faces three main threat vectors:
- Outside attacks
- Insider Threats
- Third Party Incidents
In order to protect against these threats, organizations must set forth policies and procedures for the protection of its Information Systems and Nonpublic Information stored on these systems. Securing data inventory across all systems and devices is crucial to protecting customer data privacy.
Once systems and networks are secured and physical and environmental controls are established, an organization’s policies and procedures must be constantly monitored and updated via risk assessments.
Covered entities are also responsible for establishing Third Party Service Provider management that ensures vendors with access to Information Systems and Non Public Information are implementing New York Cybersecurity policies mirroring that of the covered entity.
NYC500 Cybersecurity policies must also contain business continuity and disaster recovery planning and resources. These incident response mechanisms need to include procedures for accurately reporting data events to the Department of Financial Services in timely matter.
Cyber Security Personnel (CISO) to manage 6 core functions of Cybersecurity program
The Chief Information Security officer must be a qualified individual employed by the entity, affiliate or Third Party and is responsible for implementing, overseeing and enforcing the Cybersecurity program. If the Covered Entity elects to use a 3rd party CISO, the covered entity retains responsibility for compliance, must designate a senior staff member responsible for oversight of 3rd party and the 3rd party must maintain a cybersecurity program that protects the covered entity.
The CISO must report on the Covered Entity’s Cybersecurity program and cybersecurity risks in writing annually to the board of directors or equivalent company management. These reports must consider systems integrity, material risks, cybersecurity policies and procedures, effectiveness of cybersecurity program along with all material Cybersecurity Events involving the covered entity.
Periodic Cybersecurity Risk Assessments
Assessing your Cybersecurity policy must include periodic vulnerability testing and periodic penetration testing. Periodic Risk Assessments must also evaluate risks, assess adequacy of controls and document decisions to mitigate or accept risk.
Covered entities must maintain secure systems that are designed to reconstruct financial transactions. These audit trails are designed to detect and respond to Cybersecurity events that have a reasonable likelihood of harming any material part of CE’s normal operations.
While covered entities must maintain records for at least five years, they are also responsible for destroying Non Public Information in a responsible and timely manner.
Incident Response Plans
Organizations must establish a written Incident Response Plan (IRP) to respond to and recover from Cybersecurity events affecting confidentiality, integrity or availability of the Covered Entity’s Information Systems and Nonpublic Information.
An Incident Response plan must include internal and external processes, goals, role and responsibility definitions, system remediation and documentation and reporting mechanisms for incident related response actions.
Cyber Incident Reporting
Covered Entities must notify the Superintendent, no later than 72 hours, after notification is required by another regulatory agency or supervisory body and when the Cyber Event has a reasonable likelihood of materially harming any part of normal operations.
Annually, all covered entities must certify in writing that the organization is in compliance with all reporting guidelines set forth in the regulation. Organizations are required to maintain information and evidence necessary to support this certification for a period of 5 years. If a covered entity has identified areas which require improvements or updating, the organization must document the remedial efforts planned or underway
While no organization can eliminate their exposure to Cyber Risk entirely, taking a proactive, comprehensive approach to Cyber Risk Management will ensure that your company is not only compliant with the new NYC500 Regulatory guidelines but also resilient in the face of constantly evolving Cyber threats.