The two-year transitional period implemented by the New York State Department of Financial Services (NYS DFS) regarding their Cybersecurity framework, 23 NYCRR 500, finished this past March 1, 2019. This doesn’t mean the work ends here, but essentially it’s just getting started. The state of New York allowed institutions, or covered entities, a 24 month break in period before having to adhere to all phases per year. The training wheels are off and all phases will have to be obtained yearly moving forward.
Not Only Security
The regulation will have all financial institutes, insurers, and banks adhere to the rules prescribed by the NYS DFS on an annual basis in perpetuity. Throughout the past 24 months CCSI has worked with multiple clients, written, and spoken on the subject numerous times and have noticed a common thread within our advisory. Many clients we’re dealing with are looking for continuous monitoring to assist with these objectives. The 23 NYCRR 500 is more than just security, I personally feel that it’s a privacy regulation more than anything, and it guides organizations on how to protect not only the security, but the privacy of their nonpublic information (NPI).
MSSP and vCISO
When dealing with these, and other regulations, we’re seeing a shift on a managed services front that clients are looking towards MSSP’s to fill. This regulation alone includes a section (500.11) on how covered entities can use MSSP, or “Third Party Service Providers” within their organization. It continues to go on speaking about how the use of “Cybersecurity Personnel and Intelligence” (500.10) can be utilized to supplement or be used as the security team within that entity. And lastly, section (500.04) or the “Chief Information Security Officer” section states that the CISO may be a third party service provider to assist with building the program as needed. This all shows that the use and supplementation of MSSPs are heavily recommended by regulators to assist with improving continuous monitoring.
One thing regarding this regulation is that it really focuses on how the SMB market was going to handle security. Those who wrote it really had a firm understanding of what would be required of them from a managed security services standpoint. They had the foresight to see that most of the big financial and insurers were already performing this type of security through other regulations and had the budget and resources to fulfill it, but that the small and medium sized organizations might need assistance from qualified third parties.
Services for 23 NYCRR 500
At CCSI, we have managed services that align towards the majority of the sections in the 23 NYCRR 500 regulation and are SOC 2 Type II compliant. We have these services and the SOC certifications to be able to fully assist those organizations adhering to the NYS DFS regulation. These services weren’t created solely for NYS DFS clients, but were made with a foundational security posture in mind. We’re firm believers of providing basic and necessary security service to our clients and then assisting them on their more unique security challenges as they build upon a firm foundation.
Author Bio: Matthew Pascucci Is the Cybersecurity Practice Manager at CCSI with over 16 years’ experience in IT focusing on Cybersecurity. Previously he’s worked in the manufacturing, financial, ecommerce, healthcare and service industries developing security programs for his employers.
He joined CCSI to develop a Cybersecurity practice that includes managed security services, penetration testing, and risk assessments for organizations of every size and vertical. Personally, he holds multiple information security certifications and has had the opportunity to write and speak about cybersecurity for the past decade. Matt is a Privacy Advocate and Security Blogger and has hundreds of publicly published articles and presentations. He’s the founder of www.frontlinesentinel.com and a board member on the local chapters of InfraGard and OWASP. Matthew can be contacted via his blog, on Twitter @matthewpascucci, or via email email@example.com