New York Cyber Security Regulation | 23 NYCRR 500 WISP

By Bill Minahan   |   December 15, 2020   |   9 Comments

What is the New York Cyber Security Regulation?

The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement effective cyber security programs.

Additionally, the New York Cyber Security Regulation requires financial services firms operating in New York to have a full security risk assessment, cyber security plan, and a written information security program (WISP).

Essentially, the regulation includes 23 sections that require covered entities (those who are legally required to comply with the 23 NYCRR 500) to assess their cyber security risk and develop a plan to mitigate it.

Furthermore, the regulation was rolled out in 4 phases to give covered entities ample time to implement, test, and adjust new cyber security plans and policies.

According to Governor Cuomo, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

So this prompts the following questions:

• Which organizations fall under covered entities?
• How do you become compliant?
• What’s the penalty for not complying with the New York Cyber Security Regulations?

Well, let’s dive in!

Who is a Covered Entity for the New York Cyber Security Regulation?

All entities operating in the state of New York under banking law, insurance law, or financial services law are considered covered entities for the New York Cyber Security Regulation. Specifically, some examples of covered entities could be:

• Insurance companies
• Mortgage companies
• Financial service providers
• Licensed lenders
• Private bankers
• State-chartered banks
• Foreign banks operating in New York

However, 23 NYCRR 500 also lists entities that are exempt from having to comply. Specifically, the exemption list for the New York Cyber Security Regulation includes organizations that:

• Have less than 10 employees, including contractors
• Do not directly or indirectly operate, maintain, use, or control any information systems
• Have less than $5 million in gross annual revenue from New York operations in each of the last three years
• Have less than $10 million in year-end total assets, including assets of affiliates

How to Comply with 23 NYCRR 500

To comply with the New York Cyber Security Regulation, businesses must take a few steps. The level of work required to comply varies greatly between businesses. Furthermore, the work required depends on the level of cyber security maturity each organization possessed before the regulation was put in place.

As a result, if you are a covered entity, you should know your organization’s cyber security posture. Specifically, look at the checklist below to see where your organization stands in regards to meeting compliance requirements.

New York Cyber Security Compliance Checklist

• Conduct a Risk Assessment

1. • This is the first step every organization must take to begin the process of strengthening their cyber security posture and becoming compliant. The risk assessment is the cornerstone of all the enforcement measures around cyber security programs, policies, and compliance. Almost every requirement throughout the New York Cyber Security Regulation is based on the results of your organization’s risk assessment.
   • A cyber security risk assessment will evaluate and identify threats to your information system. Furthermore, it will assess the confidentiality, integrity, security, and availability of your IT infrastructure. Additionally, a thorough risk assessment will test the adequacy of your existing security policies and controls. Learn more about cyber security risk assessments here.

• Prepare a Cyber Security Program

2. • To be compliant with the New York Cyber Security Regulation, your organization must maintain a cyber security program based on the results of your risk assessment. It should be designed to perform the following core cyber security functions:
     • Identify and assess internal and external cyber security risks that may threaten the security or integrity of private information stored on your information system
     • Use defensive infrastructure and the implementation of policies and procedures to protect your information systems from unauthorized access, use, or other malicious acts
     • Detect cyber security events
     • Respond to identified or detected cyber security events to mitigate any negative effects or risks
     • Recover from cyber security events and restore normal operations and services
     • Fulfill any regulatory reporting obligations (use NYDFS secure portal to report cyber security events)

• Prepare a Written Information Security Program (WISP)

3. • To comply with the New York Cyber Security Regulation, your organization must implement and maintain written cyber security policies and procedures. Similar to the cyber security program, your cyber security policy will be based on the results of your risk assessment. Furthermore, it should address the following areas:
     • Information security
     • Data governance and classification (what types of data do you store and where)
     • Asset inventory and device management (physical count of computers and devices)
     • Access controls and identity management (passwords, network access control, and authentication methods)
     • Business continuity and disaster recovery planning and resources (backups and data loss prevention)
     • Systems operations and availability concerns (procedures in the event of a cyber security event)
     • Network and system security
     • Network and system monitoring
     • Systems and application development and quality assurance
     • Physical security and environmental controls (locked doors, logging off at night or when away from desktop)
     • Customer data privacy
     • Vendor and third-party service provider management (assurances that your partners are secure)
     • Risk assessment
     • Incident response plans

The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement Written Information Security Programs (WISPs)

All documentation and information relevant to the covered entity’s cybersecurity program shall be made available to the NYDFS superintendent upon request.

As a result, it’s important to have the proper documentation that meets each of the requirements outlined in 23 NYCRR 500.

aNetworks, Inc. provides customizable 23 NYCRR 500 WISP to take the burden of compliance off your hands.

For pricing information and more details on our 23 NYCRR 500 Written Information Security Program (WISP) see here.

What’s the Penalty for not Being Compliant with the New York Cyber Security Regulation?

The New York Cyber Security Regulation currently doesn’t provide any detail on how penalties or fines will be calculated. This is a concern for covered entities, as it could mean the sky’s the limit.

However, security and financial experts predict that NYDFS will calculate fines based on the existing New York Banking Law which uses the following benchmarks:

1. • $2,500 per day during which a violation continues
   • $15,00 per day in the event of any reckless or unsound practice or pattern of misconduct
   • $75,00 per day in the event of a knowing and willful violation

But, as noted, 23 NYCRR 500 is a relatively new regulation, so organizations will learn by example in terms of how the regulation is enforced as well as how it is penalized.

With those numbers, however, putting off implementation (knowing and willfully) for just one week could cost an organization half a million dollars.

Subsequently, these figures have put many of the covered entities into a frenzy to meet compliance requirements. Many of the affected organizations don’t have enough in-house resources or IT staff to comply with what many are calling high-stake and burdensome regulations.

As a result, covered entities have been outsourcing compliance issues to cyber security organizations. Organizations are using cyber security experts, rather than adding pressure to their own IT staff, to complete the risk assessment as well as create the cyber security program and policies.

The total cost of outsourcing compliance is around 1-2% of what the predicted penalties stated above would cost.

Get Started

On the one hand, it’s easy to become overwhelmed by the New York Cyber Security Regulations. However, it doesn’t need to be a stressful process.

On the other hand, the risk assessment lays the groundwork for most of the steps your organization must take to become compliant. Luckily, a risk assessment is free and easy to use.

Furthermore, aNetworks offers one of the only automated cyber security risk assessment tools available online, and it’s free to use.

Take Your Risk Assessment

Moreover, after you take the risk assessment, we offer a complimentary meeting with one of our cyber security analysts to get the ball rolling on implementing the required cyber security programs and policies.

Additionally, if you need any assistance understanding the 23 NYCRR 500 compliance checklist, feel free to contact one of our security analysts to get you up to speed.

Start Now

Finally, you can always find us on Twitter, Linkedin, and Facebook.

---

---