The New York Department of Financial Services (NYDFS) cybersecurity regulations commonly known as 23 NYCRR Part 500 came into effect in March 2017. According to the regulation any person who is operating or requires operation under a license, registration, charter, certificate, permit, accreditation or any similar authorization under the Banking Law, Insurance Law or Financial Services Law is considered as a covered entity, and they must comply with the regulation.

The new regulations concede that cybercriminal threats have significantly increased over the past decade. These NYDFS cybersecurity regulations point out various aspects that require certain cybersecurity measures so that the breaches are less likely to occur. 23 NYCRR Part 500 indicates a shift from breach disclosure regulation to the regulation of implementation of appropriate security controls.

If the covered entities do not comply with 23 NYCRR Part 500, then they are likely to pay fines, or there will be a review of the program. Therefore, it is necessary for all organizations to review and consider the regulation thoroughly. However, there are five advanced requirements of the NYDFS cybersecurity regulation that you must know –

1.all the covered entities need to have a cybersecurity program. As per section 500.02, each covered entity need to maintain a cybersecurity program for protecting the confidentiality, integrity, and availability of the Covered Entity’s Information Systems. Additionally, the covered entities need to employ a Chief Information Security Officer (CISO) who will be responsible for reporting to the board so that the senior management will review and approve the cybersecurity policies.

2.the covered entities need to have a third-party service provider for risk management programs. According to section 500.11, every covered entity needs to implement written policies and procedures that are designed for ensuring the security of Information Systems and Nonpublic Information, which are accessible to third-party service providers. Also, the covered entities need to keep an eye on all third-party vendors and assess their security periodically.

3.the covered entities need to file annual compliance certification. According to the regulation, the chairman of the board for covered entities requires submitting a self-certification that states that the board has reviewed cybersecurity documentation and policies and the board is compliant with the cybersecurity regulations.

4.the covered entities need to provide cybersecurity training to all their personnel. According to section 500.14, the covered entities must provide regular cybersecurity awareness training for all personnel which are updated for reflecting the risks identified by the covered entity in its risk assessment. This will ensure that all the employees have the required knowledge of handling IT and security issues and they can help the organization in alleviating and addressing cyber threats.

5.the covered entities must use technology controls for cybersecurity. The 23 NYCRR Part 500 cybersecurity regulations have a number of technological controls that include section 500.05 for penetration testing and vulnerability assessments, section 500.08 for application security, section 500.12 for multi-factor authentication and 500.15 for encryption of non-public information.

Conclusion:
 Compliance Experts at CompCiti Business Solutions, Inc. not only ensures that you are compliant with the 23 NYCRR Part 500 cybersecurity regulations, but will help you to implement a more effective, long-term cyber security protocol in the process. To know more visit https://compciti.com/nycrr/