On March 1st of this year, the clock started ticking for compliance with 23 NYCRR 500 regulations. The Department of Financial Services put out this “first-in-the-nation” cybersecurity regulation due to the increase of consistency and sophistication of cyber attacks over recent years. Although a lot of what the new regulation is asking for is already considered best-practice, many companies have not implemented these processes. Come September this can result in fines on top of the already-existing risk of a security breach.
As an IT/Security professional in the financial industry, a whole new level of responsibility has been forced onto your shoulders.
Does 23 NYCRR 500 matter to me?
If you operate or work within New York State then, yes. To what extent is a different story. There is a “Limited Exemption” rule that eliminates certain requirements based on the following criteria. If your company harbors ANY of the following criteria, then you qualify for the exemption within 23 NYCRR 500. Instructions on filing a notice of exemption.
- Fewer than 10 employees(Including independent contractors)
- Less than $10 Million in year-end total assets
- Less than $5 million in gross revenue
When do I need to comply by?
August 28th, 2017 – This is the first of three deadlines for technical requirements of this regulation. When qualified for the limited exemption rule, a company DOES NOT have to develop an incident response plan and employ cybersecurity personnel by this time.
September 27th, 2017 – Deadline for filing a Notice of Exemption. Instructions on filing.
February 15th, 2018 – Deadline for the first certification of compliance. Either the Chair of the Board of Directors or a Senior Officer will need to sign a statement saying they have been compliant with 23 NYCRR 500 over the previous year.
March 1st, 2018 – Deadline for the second round of technical requirements.
September 3rd, 2018 – Deadline for the third round of technical requirements for this regulation.
March 1st, 2019 – If working with a Third Party Service Provider to help with IT and security management, there is regulation pertaining to what that relationship requires from both ends.
Okay. I need to comply… Where do I start?
Everyone, including those with the limited exemption, must address the following four 23 NYCRR 500 regulation sections by the first deadline, August 28th, 2017.
- The first step to tackling 23 NYCRR 500 is to run a Risk Assessment(500.09). In order to best address the remaining sections of this regulation, the results of the Risk Assessment are crucial. For an introductory checklist click here.
- Next, the cybersecurity program and cybersecurity policies must be designed and written(500.02 and 500.03). Definitely the most time-consuming effort towards compliance. The program covers how data and systems will be protected and must be based on the Risk Assessment. The program outlines how you will detect events, respond to them, and remediate any damage and report incidents. The policy outlines policies and procedures for protecting data and systems and must cover everything from data governance to access controls, business continuity, and quality assurance.
The policy and program together create the foundation for not only compliance but an entire cybersecurity strategy. A cybersecurity policy template specific to this regulation can be found here.
- Now you can tackle the user access privilege requirement(500.07). Ensure that the proper levels of access are limited to the proper personnel and systems. These privileges must be reviewed periodically and the entire procedure must be baked into the cybersecurity policy.
- Another requirement is to ensure proper cybersecurity event reporting(500.17). You can use this form to report any breaches to the Superintendent.
Those WITHOUT a limited exemption must also address the following two points by August 28th, 2017.
- Develop an Incident Response Plan or an IRP(500.16). This document will encompass every aspect of responding and remediating security breaches. From the roles personnel will play, how communications are handled, to evaluation and revision of the plan after an event. For a more in-depth view of what goes into an IRP, click here.
- Employ cybersecurity personnel(500.04 and 500.10). Someone has to be crowned the official CISO, taking responsibility for regulatory compliance with 23 NYCRR 500 and overseeing Third Party Service Providers that work with their network security. “Qualified cybersecurity personnel” must be utilized to carry out the cybersecurity program. These personnel must also be provided training and have verifiable knowledge of changing cybersecurity threats and countermeasures.
Am I the Only One a Bit Overwhelmed?
No. In fact, many other companies don’t really know where to start or if they are even exempt. If you stumbled upon this page you have the tools necessary to hit the ground running down the path of compliance with 23 NYCRR 500. The best part is you don’t have to conquer this quest alone. As a managed security service provider, Sedara is committed to ensuring effective network security and full compliance for companies of all sizes. If you have questions about managed network security or compliance with any regulations including 23 NYCRR 500, contact us or leave a comment below.