The threat of cyberattacks has been growing tremendously, because of which businesses operating in the financial and insurance industries in New York have been mandated to establish stronger cybersecurity programs. The New York State Department of Financial Services i.e., NYDFS, has hence passed a set of rules and regulations called the 23 NYCRR 500 for supervising the banks, insurance organizations, and other financial organizations/institutions to create and keep up robust cybersecurity programs.
The first phase of the 23 NYCRR 500 regulations was finalized on March 1, 2017, needing the covered entities to comply with the regulation before August 28, 2017. Want to get your organization compliant to the regulations within the set 23 NYCRR 500 timeline?
Four Phases of NYDFS Cybersecurity Regulation (23 NYCRR 500)
The compliance requirements for 23 NYCRR 500 cybersecurity regulations were rolled out in four phases in a two years sequence. Let us check out the phases below –
Phase 1: By August 28, 2017–
Development of a robust cybersecurity program: Covered entities need to design a cybersecurity program for protecting the confidentiality, integrity, and availability of the organization’s IT solutions in New York.
Development of cybersecurity policy: Covered entities must develop strategies that will help them in protecting the IT systems as well as non-public information.
Employing a Chief Information Security Officer (CISO): Covered entities require employing a qualified and experienced individual from within their firm or through a third party to supervise and implement cybersecurity programs efficiently.
Limiting User Access: The covered entities need to limit user access to their organization’s IT systems and non-public information as required.
Employing Cybersecurity Personnel and Intelligence: Covered entities should employ qualified individuals for managing the security risk and supervise the performance of significant security functions.
Establishing an Incident Response Plan: The organizations need to establish a plan that helps in responding promptly to a security incident and recovering any information that is lost.
Notifying the Superintendent: The superintendent needs to be notified each time there is a security incident within the organization.
Phase 2: By March 1, 2018:
Conducting Risk Assessment: A security risk assessment must be conducted on IT systems and non-public information, which needs to be updated when necessary.
Conducting Penetration Testing and Vulnerability Assessments: The organizations should conduct penetration testing annually and vulnerability assessments bi-annually for assessing how effective are their cybersecurity program.
Annual Reporting by CISO: The CISO needs to provide a cybersecurity report to the senior officers or board of directors of the organization on an annual basis.
Multi-factor Authentication: For accessing internal networks from an external network, users need to use multi-factor authentication methods.
Submitting Notices of the Incidents to Superintendent: A written statement needs to be submitted to the NYDFS superintendent for verifying their compliance with NYDFS cybersecurity requirements through February 15 of every year.
Awareness Training and Monitoring: The organization needs to conduct a program where regular security awareness training needs to be provided to the employees.
Phase 3: By September 1, 2018
Audit Trail: Organizations need to maintain security systems that can log and reconstruct material financial transactions in order to detect and respond to the incidents immediately.
Establishing an Application Security: The organizations need to create written procedures and plans to secure the development, monitoring, and assessment of in-house applications.
Limiting Data Retention: The organizations must develop procedures and policies to dispose of non-public information securely.
Implementation of Risk-based policies: The organizations need to implement risk-based systems and controls for detecting unauthorized access to the use of non-public information by the organization.
Encryption of Non-public Information: The organizations need to encrypt non-public information while in transit over external networks.
Phase 4: By March 1, 2019:
Developing a third-party service provider security policy: The organizations covered under the regulation needs to develop written procedures for ensuring the security of non-public information when these are shared with third-party service providers.
Conclusion:
If you want your company to be compliant with the 23 NYCRR 500 timeline and looking for professional help then the Compliance Experts at CompCiti Business Solutions, Inc. can help you out. For further details visit https://compciti.com/23-NYCRR-part-500-compliance/
Disclaimer: This content is created and provided by a third-party online content writer on behalf of CompCiti, and is for commercial purposes only. CompCiti does not take any responsibility on the accuracy of this article.
Source from: https://23nycrrpart500.wordpress.com/2020/01/08/four-phases-of-the-23-nycrr-500-regulations-a-brief-overview/