New York is one of the biggest financial hubs in the world; as you can imagine where there is sensitive financial information, there are people who want to get their hands on it. It is for this reason major financial firms operating in New York will face stiff cyber security obligations under the new New York Department of Financial Services Cybersecurity Regulations (23 NYCRR 500).
This regulation will apply to firms holding a banking, insurance or financial services licence to operate in New York. 23 NYCRR 500 has been effective as of March 1st 2017, although firms have 180 days from this introduction date to change internal systems in order to meet new compliance and regulation standards.
A key area the new regulation looks to cover is the implementation of cybersecurity leadership through organisations by designating a qualified individual to serve as the CISO. This elected individual will be tasked with overseeing and enforcing the firm’s cybersecurity program and policy. Each organisation will also need to implement regular staff training to cover specific cybersecurity risk areas.
The stipulations of the new regulation make sure organisations have detection, defence and response capabilities, including regulatory reporting as well as penetration testing. Just like other new regulations, such as the European General Data Protection Regulation (GDPR), organisations must report any cyber security incidents to the DFS as promptly as possible (no later than 72 hours post incident).
So how do organisations ensure they are compliant with 23 NYCRR 500? Evaluating the cybersecurity changes that may be required within the organisation with the senior management team, including the CISO and board of directors is a good place to start.
The key tasks organisations must complete to comply with 23 NYCRR 500 include:
- Appointment a CISO (if one isn’t already in place)
- Perform risk assessments (which must be kept up to date on an ongoing basis)
- Document all organisational policies and procedures
- Perform penetration testing and vulnerability assessments
- Train all staff on a regular basis
- Monitor your assets and create audit trails
- Limit user privilege
- Securely destroy unnecessary data
Find out more with the NYDFS Cybersecurity Regulation Factsheet