Beginners Guide: 23 NYCRR 500 Compliance
[av_textblock size='' font_color='' color='' admin_preview_bg='']
UPDATED 7/23/19 - Fixed Links and added resources to answer common questions.
UPDATED 10/1/17 - Limited Exemption Filing deadline extended to October 30th, 2017
On March 1st of this year, the clock started ticking for compliance with 23 NYCRR 500 regulations. The Department of Financial Services put out this “first-in-the-nation” cybersecurity regulation due to the increase of consistency and sophistication of cyber attacks over recent years. Although a lot of what the new regulation is asking for is already considered best-practice, many companies have not implemented these processes. Come September this can result in fines on top of the already-existing risk of a security breach.
As an IT/Security professional in the financial industry, a whole new level of responsibility has been forced onto your shoulders.
For a comprehensive guide breaking down this regulation piece by piece, then explaining how to comply, CLICK HERE.
This regulation applies to you if you operate or work within New York State. To what extent is a different story. There is a “Limited Exemption” rule that eliminates certain requirements based on the following criteria. If your company harbors ANY of the following criteria, then you qualify for the exemption within 23 NYCRR 500. Instructions on filing a notice of exemption as an individual.
Have further questions on exemptions?
NYS Addressed exactly which sections you need to comply with for certain exemptions HERE.
- Fewer than 10 employees(Including independent contractors)
- Less than $10 Million in year-end total assets
- Less than $5 million in gross revenue
August 28th, 2017 - This is the first of three deadlines for technical requirements of this regulation. When qualified for the limited exemption rule, a company DOES NOT have to develop an incident response plan and employ cybersecurity personnel by this time.
[UPDATED] was 9/27/17 - October 30th, 2017 - Deadline for filing a Notice of Exemption. Instructions on filing.
February 15th, 2018 - Deadline for the first certification of compliance. Either the Chair of the Board of Directors or a Senior Officer will need to sign a statement saying they have been compliant with 23 NYCRR 500 over the previous year.
March 1st, 2018 - Deadline for the second round of technical requirements.
September 3rd, 2018 - Deadline for the third round of technical requirements for this regulation.
March 1st, 2019 - If working with a Third Party Service Provider to help with IT and security management, there is regulation pertaining to what that relationship requires from both ends.
For a table displaying exemptions and timelines, click here.
Everyone, including those with the limited exemption, must address the following four 23 NYCRR 500 regulation sections by the first deadline, August 28th, 2017.
- The recommended first step to tackling 23 NYCRR 500 would be to run a Risk Assessment(500.09). In order to best address the remaining sections of this regulation, the results of the Risk Assessment will make your life a lot easier. For an introductory checklist click here. Due to the fact that this is not required until March 1st of 2018, you can skip this for now if you are in a time crunch.
The policy and program together create the foundation for not only compliance but an entire cybersecurity strategy.
- Next, the cybersecurity program and cybersecurity policies must be designed and written(500.02 and 500.03). Definitely the most time-consuming effort towards compliance. The program covers how data and systems will be protected and must be based on the Risk Assessment. The program outlines how you will detect events, respond to them, and remediate any damage and report incidents. The policy outlines policies and procedures for protecting data and systems and must cover everything from data governance to access controls, business continuity, and quality assurance.
- Now you can tackle the user access privilege requirement(500.07). Ensure that the proper levels of access are limited to the proper personnel and systems. These privileges must be reviewed periodically and the entire procedure must be baked into the cybersecurity policy.
Those WITHOUT a limited exemption must also address the following two points by August 28th, 2017.
- Another requirement is to ensure proper cybersecurity event reporting(500.17). You can use this form to report any breaches to the Superintendent.
You don’t have to conquer this quest alone. As a managed security service provider, Sedara is committed to ensuring effective network security and full compliance for companies of all sizes. If you have questions about managed network security or compliance with any regulations including 23 NYCRR 500, contact us or leave a comment below.
- Develop an Incident Response Plan or an IRP(500.16). This document will encompass every aspect of responding and remediating security breaches. From the roles personnel will play, how communications are handled, to evaluation and revision of the plan after an event. For a more in-depth view of what goes into an IRP, click here.
- Employ cybersecurity personnel(500.04 and 500.10). Someone has to be crowned the official CISO, taking responsibility for regulatory compliance with 23 NYCRR 500 and overseeing Third Party Service Providers that work with their network security. “Qualified cybersecurity personnel” must be utilized to carry out the cybersecurity program. These personnel must also be provided training and have verifiable knowledge of changing cybersecurity threats and countermeasures.