As we've previously discussed, the New York Department of Financial Services proposed a new regulation on the cybersecurity procedures of the financial industry. On March 1, 2017, 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies was enacted. The regulation requires banks, insurance companies and other financial institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program. It is important to note this regulation does not apply to nationally chartered institutions.
This regulation, like other federal (HIPAA) and state regulations (Massachusetts Security Regulation) is in response to the growing financial systems and data threats posed by nation-states, terrorist organizations and independent criminal actors. The financial services industry has been a significant target of cybersecurity threats and in this writer’s opinion will continue to be.
In summary, 23 NYCRR 500 NYS-regulated financial institutions, referred to as Covered Entities must:
Establishment and adoption of a cybersecurity policy and program include the performance of risk assessments, employee training, penetration testing and access privilege reviews to name a few. The focus on 23 NYCRR 500 is on implementing a preventive and reactive policy that can quickly recover should a security incident occur.
According to the NYS Department of Financial Services website, key dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500) are as follows:
Whether you’re a NYS regulated financial institution or not, companies with a current information security plan, policies and procedures should update their policies to reflect these requirements. Any company that does not currently have an information security plan, policies or procedures should be proactive and use 23 NYCRR 500 as your guide to create your plan.
The financial industry is the most regulated from a cybersecurity standpoint because they have the highest likelihood of being targeted by hackers. By creating your company’s information security system based on the requirements and guidelines outlined in this regulation, you have established a sound information security plan.