New York State Implements Cybersecurity Regulation 23 NYCRR 500

March 02, 2017, Bob Post, Senior Practice Director, Cyber Risk Advisory, Coalfire

On March 1st, 2017, sweeping new cybersecurity requirements were placed on organizations regulated by the New York State Department of Financial Services. The law applies to a broad set of ‘covered entities’ that are supervised by the NYDFS, including banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York. While large entities most likely meet these requirements already -- and very small entities are exempted from some of the requirements --, mid-market firms will be challenged to meet aggressive implementation timelines.

Within the next 180 days, firms must ensure they have a comprehensive Cybersecurity Program in place, supported by written and implemented Cybersecurity Policies. They also need to limit user access privileges to Information Systems providing access to “Nonpublic Information” and must have a formal Incident Response Plan.

All of this is going to be a daunting challenge for many firms. The new regulations also require them to “utilize qualified cybersecurity personnel” who are sufficiently trained and are kept current on cybersecurity risks. And this is just in the first 180 days!

But the law goes even farther. Over the next 12 months, these firms will also have to name a Chief Information Security Officer (CISO), conduct Risk Assessments, Penetration Tests and Vulnerability Scans, implement Multi-Factor Authentication, and train employees. It is going to be a very busy year.  And the Chairperson of the Board or Senior Officer of the company is required to sign and file a Certificate of Compliance in February, 2018. In the coming weeks, we’ll be discussing how mid-market firms – those too large for exemptions but too small to have exiting resources – can approach complying with these regulations. The task is large but not without hope.  And the ultimate goal, better protection of customer and proprietary sensitive data, is one we can all get behind.

Click here for larger view of above table.

Bob Post


Bob Post — Senior Practice Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics