23 NYCRR 500 – NYS DFS Cybersecurity Regulation

On March 1st of this year, the Department of Financial Services put out “first-in-the-nation” cybersecurity regulation due to the increase of consistency and sophistication of cyber attacks over recent years. Although a lot of what the new regulation is asking for is already considered best-practice, many companies have not implemented these processes. Come September this can result in fines on top of the already-existing risk of a security breach.

As an IT/Security professional in the financial industry, a whole new level of responsibility has been forced onto your shoulders.

Does 23 NYCRR 500 matter to me?

If you operate or work within New York State then, yes. To what extent is a different story. There is a “Limited Exemption” rule that eliminates certain requirements based on the following criteria. If your company harbors ANY of the following criteria, then you qualify for the exemption within 23 NYCRR 500. Instructions on filing a notice of exemption.

• Fewer than 10 employees (Including independent contractors)
• Less than $10 Million in year-end total assets
• Less than $5 million in gross revenue

Learn how to file an exemption click here

When do I need to comply by

• August 28th, 2017 – This is the first of three deadlines for technical requirements of this regulation. When qualified for the limited exemption rule, a company DOES NOT have to develop an incident response plan and employ cybersecurity personnel by this time.
• September 27th, 2017 – Deadline for filing a Notice of Exemption. Instructions on filing.
• February 15th, 2018 – Deadline for the first certification of compliance. Either the Chair of the Board of Directors or a Senior Officer will need to sign a statement saying they have been compliant with 23 NYCRR 500 over the previous year.
• March 1st, 2018 – Deadline for the second round of technical requirements.
• September 3rd, 2018 – Deadline for the third round of technical requirements for this regulation.
• March 1st, 2019 – If working with a Third Party Service Provider to help with IT and security management, there is regulation pertaining to what that relationship requires from both ends.

Make sure your organization is ready for each transitional period. Download the NYS DFS Cybersecurity Road Map.

Sounds like I need to comply… Where do I start?

Everyone, including those with the limited exemption, must address the following four 23 NYCRR 500 regulation sections by the first deadline, August 28th, 2017.

1. A recommended first step in addressing 23 NYCRR 500 would be to run a Risk Assessment (500.09). In order to best address the remaining sections of this regulation, the results of the Risk Assessment will be a starting point to branch out from. Due to the fact that this is not required until March 1st of 2018, you can skip this for now if you are in a time crunch.
2. Next, the cybersecurity program and cybersecurity policies must be designed and written (500.02 and 500.03). Definitely the most time-consuming effort towards compliance. The program covers how data and systems will be protected and must be based on the Risk Assessment. The program outlines how your company will detect events, respond to them, and remediate any damage and report incidents. The policy outlines policies and procedures for protecting data and systems and must cover everything from data governance to access controls, business continuity, and quality assurance. The output of this program, ie: the policy and program – together create the foundation for not only compliance but an entire cybersecurity strategy.
   Need a cybersecurity policy template specific to this regulation? Contact Us
3. Now you can tackle the user access privilege requirement (500.07). Ensure that the proper levels of access are limited to the proper personnel and systems. These privileges must be reviewed periodically and the entire procedure must be baked into the cybersecurity policy.
4. Another requirement is to ensure proper cybersecurity event reporting (500.17).

Those WITHOUT a limited exemption must also address the following two points by August 28th, 2017.

1. Develop an Incident Response Plan or an IRP (500.16). This document will encompass every aspect of responding and remediating security breaches. From the roles personnel will play, how communications are handled, to evaluation and revision of the plan after an event.
2. Employ cybersecurity personnel (500.04 and 500.10). Someone has to be crowned the official CISO, taking responsibility for regulatory compliance with 23 NYCRR 500 and overseeing Third Party Service Providers that work with their network security. “Qualified cybersecurity personnel” must be utilized to carry out the cybersecurity program. These personnel must also be provided training and have verifiable knowledge of changing cybersecurity threats and countermeasures.

This whitepaper covers some of the key areas of the regulation and offers insight in to where you should be looking at first. Download the whitepaper to help your business stay healthy, safe and profitable.

Am I the Only One a Bit Overwhelmed?

No. In fact, many other companies don’t really know where to start or if they are even exempt.  CCSI has provided this information so companies now  have the basic tools necessary to hit the ground running down the path of compliance with 23 NYCRR 500.

The best part is you don’t have to conquer this quest alone. As a managed security service provider, CCSI is committed to ensuring effective network security and full compliance for companies of all sizes. If you have questions about managed network security or compliance with any regulations including 23 NYCRR 500, contact us.

CCSI’s Larry Bianculli and Matthew Pascucci discuss the NYS DFS or 23 NYCRR cybersecurity regulation basics and how to prepare for it.

How to File the Certificate of Compliance

Matthew Pascucci from CCSI, Gabrial Gumbs from STEALTHbits, and Paul Ferrillo from Weil’s Litigation discuss the NYS DFS 23 NYCRR 500 Certification of Compliance and how to submit the certification due on February 15.

NYS DFS Cybersecurity Regulation Phase 4 webinar

CCSI discusses the NYS DFS Cybersecurity webinar series on the Phase 4 requirements for the New York State’s Department of Financial Services (DFS) 23 NYCRR 500 Regulation. This webinar will have Matthew Pascucci, Cybersecurity Practice Manager for CCSI, discuss the items required for the final Phase 4.

Discover how CCSI can improve your business!