Security

23 NYCRR 500 Compliance: What You Need to Know

By December 26, 2017 No Comments

The first six months of 2017 was marked by 918 data breaches, including 1.9 billion compromised data records. This resulted in a 164 percent increase since 2016 and had prompted governments and municipalities, including the city of New York, to implement requirements for addressing and preventing cyberattacks. An implication of these cyberattacks is the 23 NYCRR 500 Compliance regulation. This regulation is being proposed in response to this uptick in cybersecurity threats with specific focus on financial institutions, and is a concentrated effort to protect sensitive customer data and institutional information from getting into the wrong hands. While many financial firms have proactively taken the necessary steps to heighten security measures, there is still a need for accountability across all parties that deal with sensitive personal and financial data from financial institutions and its customers in the state of New York. Compliance is vital to avoid penalties, fees, financial losses and possible litigation. Here are some key aspects to consider:

Understand What 23 NYC 500 Compliance Means

Financial institutions and services are hackers’ primary targets out of any other group. It is increasingly becoming an issue that is resulting in a year-over-year (YOY) 29 percent increase of cyberattacks. With the rise of cybersecurity attacks, new regulation proposals in New York are in the works and referred to as 23 NYC 500 Compliance. The 23 NYC 500 Compliance requires all financial institutes and services in New York to confirm their cybersecurity preventative measurements in the form of a report called the Certification of Compliance prepared and submitted to the superintendent of the New York State Department of Financial Services (DFS) Regulations.

The purpose of this regulation is to safeguard private and sensitive consumer data and company data and infrastructure from unauthorized individuals who may use it in a malicious manner, such as withholding the information for compensation (ransomware attack) or using the sensitive data to commit a crime, such as securities fraud or supplementing a terrorist organization. However, some entities are exempt from abiding by these rules, such as entities with less than 10 employees, including independent contractors.

Get to Know Its Requirements

23 NYC 500 Compliance has several requirements that financial services and institutions in New York must follow. Here are some main requirements that financial enterprises must follow:

Establish a cybersecurity program. The enterprise’s program must include policies for how they will detect cybersecurity events, identify risks, and how procedures and policies will be executed in an effort to prevent unauthorized access to consumer and company data.

Training. Ransomware attacks and distributed denial of service (DDoS) attacks are increasing and a cause for concern. In fact, training employees is a very important part of the compliance regulation, especially since research indicates that most of the sources of cyber threats can be attributed to employees and third parties who have access to consumer and company data. Thus, training is a core part of the requirements of 23 NYC 500.

Adopt a cybersecurity program. This cybersecurity program must be written and include a variety of policies and procedures that at least include, such measures as risk evaluations, the privacy of customer data and network security and monitoring, as well as a plan for continuing the business in the event of a disaster, such as a DDOS attack.

Designate a Chief Information Security Officer (CISO). Financial institutions that are regulated must designate a CISO who will be responsible for executing the cybersecurity program, enforcing its policies and overseeing the program. The CISO must report key information, such as cybersecurity events summary, identification of cyber risks, and information systems confidentiality assessments, to the board at least twice a year.

Establish Third-Party Specific Policies. It’s vital for covered entities to make policies that are specific to compliance procedures for third parties, such as vendors or affiliates.

Be Aware of Other Requirements. Requirements include–but are not limited to–assessing vulnerabilities and penetration annually, implementing and maintaining an audit trail system, multi-factor authentication procedures, encryption for private data and destroying private data that is unnecessary or is not lawfully required to be retained within a timely manner.

Recognize Penalties

While the initial effective date of the regulation started on March 1st, 2017, there was a 180-day “grace period” for covered entities to comply. However, enterprises must fully comply and provide the first certification by February 15th, 2018. Compliance is important to avoid penalties. If companies working in the financial sector or offering financial services do not comply, there are penalties they may face, including litigation under New York Banking Laws that may charge fines up to $250,000 or removal of licenses.

Leverage IT Assistance

Having a plan is not enough. It’s also important to have a team that can support cybersecurity efforts. An IT company can assist with ramping up cybersecurity efforts by using the National Institute of Standards and Technology (NIST) framework, which allows for a flexible and customizable approach to cybersecurity protocols. An IT company that has the expertise and skills to implement cybersecurity enhancements can help financial enterprises achieve their goals of fulfilling 23 NYC 500 Compliance requirements by taking the time to review and understand the requirements.

Discover How TechWerxe Can Help

Complying with the 23 NYC 500 Compliance regulation is vital to meet its important reporting deadlines and avoiding penalties, and it’s a task that doesn’t need to be a solo job. Consider leveraging the help from an expert company in cybersecurity, such as TechWerxe. TechWerxe has been helping companies of the financial industry with maintaining security and compliance standards by offering round-the-clock assistance with professionally trained cybersecurity experts who have the experience to get achieve 23 NYC 500 Compliance and enhance security measures.

Get a free compliance assessment for your New York business here.

Sources:
https://www.cnbc.com/2017/09/20/cyberattacks-are-surging-and-more-data-records-are-stolen.html
https://www.darkreading.com/endpoint/financial-services-sector-the–1-target-of-cybercriminals/d/d-id/1328775?
http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
https://securityintelligence.com/financial-sector-remains-a-top-target-in-2017/
https://www.pwc.com/us/en/cybersecurity/information-security-survey.html
http://www.dfs.ny.gov/about/cybersecurity.htm
http://codes.findlaw.com/ny/banking-law/bnk-sect-44.html
https://www.forbes.com/sites/realspin/2016/12/02/proposed-ny-cybersecurity-regulation-a-giant-leap-backward/#28af549620cb

TechWerxe

About TechWerxe

TechWerxe is a leading IT company focused on providing companies with customized solutions for their business.