Although some limited exemptions apply, let’s be clear: Any entity regulated by New York’s Department of Financial Services (DFS) must comply with at least parts of 23 NYCRR 500.
Small business? You still need to follow many sections of the law. Headquartered elsewhere? If you do business in New York, the law applies to your company. State-chartered banks, licensed lenders, private bankers, mortgage companies, and insurance companies, as well as their third-party service providers? Yes, this means you.
Here’s our breakdown of how the law has New York’s financial sector poised to play its part in a safer future:
- Covered entities must provide evidence that they have taken steps to safeguard the confidentiality and integrity of sensitive client data. Areas such as information security, data governance/classification, asset inventory, and device management, and access controls, and identity management are of the utmost importance.
- Companies must assess external and internal cyber risks, and most must create an incident response plan that details how they will respond in the event of a breach. A critical factor is how quickly the hacked business can inform DFS and consumers about the nature and scale of the attack.
- The appointment of a Chief Information Security Officer (CISO) and cybersecurity personnel is critical for most companies. The CISO can be in-house or provided by a third party. It’s the CISO’s duty to provide qualified expertise as the cybersecurity program is implemented and to continually oversee its operation.
The biggest myth out there is that some companies are exempt from complying with NYCRR 500. While some may be deemed small enough to escape some of the more onerous and costly parts, they must still meet many of the law’s requirements.
Which entities qualify for a limited exemption?
To qualify for a limited exemption, companies must meet one or more of the following criteria:
- less than 10 employees located in New York, including independent contractors
- less than $5 million in gross annual revenue from business operations in New York for each of the last three fiscal years
- less than $10 million in year-end total assets
Businesses that receive limited exemptions are not obligated to follow certain parts of the regulation. These include designating a CISO, encrypting or developing equivalent controls for non-public information, creating requirements for training and monitoring, using multi-factor authentication, maintaining audit trails, and writing an incident response plan.
But they are still subject to robust requirements:
- Establishing a security program and implementing cybersecurity policies
- Providing notice to DFS of cybersecurity events
- Establishing policies for the disposal of non-public information
- Limiting and periodically reviewing access privileges
- Conducting periodic risk assessments
- Implementing policies and procedures to secure information accessible to third-party service providers
Remember, it only takes one successful attack to cost financial companies large amounts of money and damage your credibility.
We, as an IT service provider, will do as much of the heavy lifting as companies want, including risk assessments, cyber and business policy templates, employee training, incident response plans, technology solutions, reporting to DFS, and more.
New York’s new cybersecurity compliance mandates are bold, but they are not too difficult or expensive to achieve. A qualified cybersecurity provider can make these needed changes seamlessly for any business or organization. Talk to a trusted cybersecurity provider about the mandates of 23 NYCRR 500.