New York State Cybersecurity Regulation

Want to see if Cybriant is right for you?

Try a no-risk free trial today!

Short form

human(Required)
This field is for validation purposes and should be left unchanged.

New York State Cybersecurity Regulation

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises…” 

GOV. CUOMO’S PRESS RELEASE

Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. August 28, 2017 marks the deadline for implementation.

Covered Entity

A “Covered Entity” means any Person operating under or required to operate under a license, registration, charter, certificate,
permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. [23 NYCRR
500.1(c)]

Overview of 23 NYCRR Part 500

A. Each Covered Entity is required to establish and maintain a written cybersecurity programdesigned to protect the confidentiality, integrity, and availability of the Covered Entity’s Information Systems and the Nonpublic Information therein. (500.02)

 

B. Each Covered Entity must adopt and maintain a written cybersecurity policy which contains processes and procedures for data governance and classification, access controls and identity management, business continuity and disaster recovery, systems operation and availability concerns, security, monitoring, quality assurance, privacy, third-party service provider management, risk assessment and incident response. (500.03)

 

C. Appoint a Chief Information Security Officer (CISO) to oversee implementation and enforcement. (500.04)

 

D. Supervision and evaluation of cybersecurity program of Third Party Service Providers who have access to Covered Entity’s Information Systems and Nonpublic Information. (500.11)

 

E. Your Program needs to include a Risk Assessment, use of qualified cybersecurity personnel, timely destruction of unneeded information and an incident response plan. (500.09, 500.10, 500.13, 500.16)

 

F. Based on the Risk Assessment of your organization, your program may have to include different levels of annual penetration testing with vulnerability assessments, audit trail systems, access logs, review of access privileges, Multi-Factor Authentication for access, employee training and encryption of Nonpublic Information. (500.05, 500.06, 500.07, 500.12, 500.14, 500.15)

Reporting

To assist Covered Entities with their reporting requirements, DFS has announced a new online portal

 

Cybriant offers programs to assist with every aspect of New York’s regulation 23 NYCRR Part 500. Colorado Division of Security has announced regulations similar to New York. The cybersecurity procedures must include all of the following:

 

  • An annual risk assessment that does not need to be conducted by an independent third party
  • Secure email, including encryption and digital signatures for emails containing Confidential Personal Information
  • Authentication of clients’ email instructions and employee access to electronic communication
  • Disclosure to clients of the risks of using electronic communications.

Enterprise-grade managed security services to fit your mission, needs, and budget.

Let our award-winning team make sure your business is safe.

Shoot us a message to start a discussion about how our team can help you today.

Main Contact Form

Areas of interest:
How do you prefer to be contacted?
human(Required)
This field is for validation purposes and should be left unchanged.

“5 star company to work with”

Jessie M.