The financial service sector is constantly under data breach and cyber-attack. With 4000 cyber-attacks reported per day, the stability of the global financial sector is at stake. There are classier methods in use these days to extract funds online from victims by holding their encrypted data captive via malicious software – ransomware. In fact, the cyber criminals are escaping detection with great ease. It highlights the urgency to strengthen cybersecurity features and maintain certain regulatory minimum standards issued by NYDFS. The 23 NYCRR Part 500 contains a new set of Cybersecurity Regulations making adherence mandatory to many of the new cybersecurity requirements for all the NYDFS covered financial entities.
To fight with cyber threats and protect consumer data, the New York Department of Financial Services (NYDFS) made it mandatory for all licensed, registered and DFS regulated organization to comply with a new regulatory standard - 23 NYCRR Part 500. It is first-of-its-kind cybersecurity regulation in effect since March 2017 to formalize the requirements for providing an annual certification of 23 NYCRR 500 compliance and imposing monetary and operational penalties for non-compliance. Below is listed the key areas and components your organization will have to focus on to achieve 23 NYCRR part 500 compliance easily.
Key Areas to Focus on for Achieving 23 NYCRR Part 500 Compliance
If you want to comply with 23 NYCRR Part 500 regulations, you will have to present proof that you have taken measures to protect the integrity and confidentiality of sensitive consumer data. Addressing fourteen key areas including information security, data governance/classification, asset inventory and device management, and access controls and identity management are very important for your business.
You have the responsibility to evaluate external and internal cyber threats, and apply an incident response plan showing how fast and effectively it will act in response to a data breach. The efficiency will be decided on its speed of responding and promptness in informing not only DFS, but also clients about the kind and intensity of the breach.
The hiring of a CISO (Chief Information Security Officer) and qualified cyber security personnel is a must. The CISO can be an in-house staff or from a third party who will have to ensure his/her expertise at the time of establishing the cybersecurity program and supervising its operation constantly. The Chief Information Security Officer can also choose an in-house staff member of your organization to assist him in keeping the cyber side safe and secure.
Key components Required for 23 NYCRR Part 500 compliance:
- Appointing a CISO (if there is none)
- Creating and managing a comprehensive Cybersecurity program
- Implementing a written Cybersecurity policy
- Performing cyber risk assessments periodically
- Documenting all Cyber related policies and procedures in your organization
- Performing penetration testing annually and vulnerability assessments bi-annually
- Training and monitoring all of your staff regularly
- Monitoring your assets and making audit trails following a carefully prepared plan of action
- Restrict user access
- Securely dispose any unwanted data
- Notifying NYDFS superintendent in the event of a breach within 72 hours.
- Getting annual compliance certificated approved by the Chairperson or Senior Officer of the BOD.
If your business hasn’t already taken any step toward this new cybersecurity regulation, a quick risk assessment is what you should go for to find out any possible risks. It should be never too late to get your cybersecurity in line. Even if you are on the verge of missing the deadlines this year for compliance and cybersecurity measures, get help from CompCiti. With expertise in cybersecurity audit and compliance, CompCiti is helping financial institutions in New York with 23 NYCRR 500 compliance Call CompCiti at (212) 594-4374 for a free consultation and no-obligation assessment!