Beginners Guide: 23 NYCRR 500 Compliance
The clock is ticking for compliance with 23 NYCRR 500 regulations. The Department of Financial Services put out this “first-in-the-nation” cybersecurity regulation due to the increase in consistency and sophistication of cyber attacks over recent years. Many companies have not implemented these processes. This can result in fines on top of the already-existing risk of a security breach.
As an IT/Security professional in the financial industry, a whole new level of responsibility has been forced onto your shoulders.
Exemptions
This regulation applies to you if you operate or work within New York State. There is a “Limited Exemption” rule that eliminates certain requirements based on the following criteria. If your company harbors ANY of the following criteria, then you qualify for the exemption within 23 NYCRR 500. Here are instructions on filing a notice of exemption as an individual:
- Fewer than 10 employees(Including independent contractors)
- Less than $10 Million in year-end total assets
- Less than $5 million in gross revenue
Getting Started
Everyone, including those with the limited exemption, must address the following four 23 NYCRR 500 regulation sections.
The recommended first step to tackling 23 NYCRR 500 would be to run a Risk Assessment(500.09) to best address the remaining sections of this regulation. For an introductory checklist, click here.
Next, the cybersecurity program and cybersecurity policies must be designed and written(500.02 and 500.03). This is the most time-consuming effort towards compliance. The program covers how data and systems will be protected and must be based on the Risk Assessment. The program outlines how you will detect events, respond to them, remediate any damage, and report incidents. The policy outlines policies for protecting data and must cover everything from data governance to access controls, business continuity, and quality assurance.
Cybersecurity Strategy
The policy and program together create the foundation for compliance and an entire cybersecurity strategy.
Now, you can tackle the user access privilege requirement(500.07). Ensure that the proper levels of access are limited to the proper personnel and systems. These privileges must be reviewed periodically and the entire procedure must be baked into the cybersecurity policy.
Another requirement is to ensure proper cybersecurity event reporting(500.17). You can use this form to report any breaches to the Superintendent.
For Those Without Limited Exemption
Those WITHOUT a limited exemption must also address the following two points: Develop an Incident Response Plan or an IRP(500.16).
This document will encompass every aspect of responding to and remediating security breaches. This will cover the roles personnel will play, how communications are handled, and the evaluation and revision of the plan after an event. For a more in-depth view of what goes into an IRP, click here.
Employ cybersecurity personnel(500.04 and 500.10). Someone has to be crowned the official CISO, taking responsibility for regulatory compliance with 23 NYCRR 500 and overseeing Third Party Service Providers that work with their network security. “Qualified cybersecurity personnel” must be utilized to carry out the cybersecurity program. This person must get training and have verifiable knowledge of changing cybersecurity threats and countermeasures.
How Sedara Can Help You
You don’t have to conquer this quest alone. As a managed security service provider, Sedara is committed to ensuring effective network security and full compliance for companies of all sizes.
If you have questions about managed network security or compliance with any regulations including 23 NYCRR 500, contact us or leave a comment below.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.