The New York State Department of Financial Services Cybersecurity regulation, or NYC500, goes into effect today, March 1st, 2017.
The origins of the NYC500 can be traced back to 2013, when the NYS DFS began interviewing and surveying insurance and banking companies.
This first-in-the-nation regulation is designed to protect consumers, and the safety and soundness of the Financial Services industry, in New York by requiring Cybersecurity best practices.
NYC500 requires Covered Entities to establish a Cybersecurity Program and implement Cybersecurity Policies to protect the organization's Information Systems and Nonpublic Information stored on these systems. Additionally, businesses must must conduct periodic risk assessments of their Information System and periodically review access privileges.
Covered Entities subject to this NYS Cybersecurity regulation are required to implement policies and procedures to secure information accessible to 3rd Party Service Providers and must establish a policy for the disposal of Nonpublic Information no longer needed. In the case of a Cybersecurity Event, these businesses must provide notice to the Superintendent within 72 hours. Finally each organization subject to the NYC500 must submit an annual Certificate of Compliance.
Who are the Covered Entities? Covered Entities are the businesses that are subject to the NYC500. They are:
- Insurance Agencies
- Insurance Companies
- Financial Advisors
- Many others
You can find the entire list of business classes here.
To qualify for a Limited Exemption under the NYC500, Covered Entities must fall into ONE of the following categories:
- Fewer than 10 employees across all locations in New York
- Less than $5M in gross annual revenue each of the last 3 years
- Less than $10M in total assets
NYC500 Cybersecurity regulation requires Covered Entities to follow additional guidance. Those who qualify for a Limited Exemption are exempt. These guidelines require Covered Entities to:
- Establish procedures and guidelines for in-house developed applications
- Encrypt data at rest and in transit
- Establish an audit trail
- Develop an incident response plan
- Employ Cybersecurity personnel
- Designate a Chief Information Security Officer (CISO)
- Establish multi-factor authentication
- Train employees and monitor authorized users
- Conduct penetration testing and vulnerability assessments
Many businesses will have some of these procedures already in place due to previously existing information security laws like Gramm-Leach-Bliley. However, in order to ensure compliance and avoid costly fines and penalties from the DFS, businesses must understand how the new and different components of the NYC500 apply to their respective organizations.
Regardless of whether you are a Covered Entity or plan on filing for a Limited Exemption under Section 500.19(d), you have 180 days to become compliant with:
- Section 500.02 - Maintain a Cybersecurity Program
- Section 500.03 - Implement and Maintain Cybersecurity Policy
- Section 500.07 - Limit user access privileges as part of Cybersecurity Program
- Section 500.17(a) - Notify DFS Superintendent of Cybersecurity Events as required
While some businesses see this legislation as burdensome, it should be looked at as a positive more than a negative. The reason being, 60% of small and medium sized businesses close their doors forever after a data breach.
Coupling these safety measures with a Cyber Risk insurance policy to help cover catastrophic post-breach costs is just the cost of doing and staying in business in today's increasingly data-driven and interconnected world.