March 1, 2017, when the state of New York issued the 23 NYCRR 500 regulation. What is this law? And what is its purpose? Read this post to learn more.
Understanding 23 NYCRR 500
23 NYCRR 500 is a new set of regulations from “NYDFS” or the New York State Department of Financial Services. This NYDFS cybersecurity regulation is to place new cybersecurity requirements for all covered financial institutions.
Covered entities include the following:
- The state-chartered banks
- The foreign banks who have the license to operate within the state of New York
- Insurance companies, as well as
Besides, organizations have limited exemptions to the 23 NYCRR 500 if:
- They employ less than ten people.
- N the past 3 years, they only produce less than 5 million dollars in gross annual revenue. And,
- If they hold less than 10 million dollars in year-end total assets.
Moreover, this regulation works by imposing strict cybersecurity rules. These rules include the installation of a detailed cybersecurity plan and designating a CISO. This also includes the enactment of cybersecurity policy. As well as the initiation and reporting system for cybersecurity events.
23 NYCRR 500 Compliance Requirements
A cybersecurity program that complies with this regulation must adhere to the following key requirements:
- You should identify all internal and external cybersecurity threats.
- Then, you have to employ defense infrastructure to protect against those threats you have identified.
- You have to use systems detecting cybersecurity events.
- Respond to all detected events.
- Work to recover from those events. And
- Fulfill several requirements for regulatory reporting.
The Cybersecurity Policy Design
This policy design must address concerns in aligning with industry best practices. This coverage should include:
- The information security as well as the access controls
- Disaster recovery planning
- The systems and network security
- Customer data privacy, and
The Reporting Procedures
This phase 2 went into effect last March 1, 2018. CISOs are asked to prepare an annual report including the following:
- Company’s cybersecurity policies and procedures.
- The security risks, as well as the
- Company’s current cybersecurity measures effectiveness.
It’s effective on September 3, 2018. This asks the institutions to have a comprehensive cybersecurity program in place. These programs must contain the following:
- An audit trail reflecting the threat detection and response activities.
- Written documentation of procedures, standards, and guidelines. This includes the procedures for evaluating third-party applications.
- Also includes data retention policy documentation in detail, including how non-public personal information is disposed of, and
- The encryption and other robust security control measures.
The Third-Party Securities
This final requirement went into effect on March 1, 2019. In this phase, institutions are to finalize policies concerning any third-party with permissions to access systems and files.
Moreover, the covered institutions are to develop and submit a written policy for third-party service providers. This may also include the following:
- The covered financial institution’s security requirements. And third-party service providers also need to meet these requirements.
- Processes of evaluating the third-party service provider’s security practices effectiveness, and
- The periodic assessment of third-party policies and controls.
Rate this post: