By Bill Minahan | December 15, 2020 | 9 Comments
The New York Cyber Security Regulation, officially known as 23 NYCRR 500, is a regulation that requires financial service organizations and their third-party vendors to implement effective cyber security programs.
Additionally, the New York Cyber Security Regulation requires financial services firms operating in New York to have a full security risk assessment, cyber security plan, and a written information security program (WISP).
Essentially, the regulation includes 23 sections that require covered entities (those who are legally required to comply with the 23 NYCRR 500) to assess their cyber security risk and develop a plan to mitigate it.
Furthermore, the regulation was rolled out in 4 phases to give covered entities ample time to implement, test, and adjust new cyber security plans and policies.
According to Governor Cuomo, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
Well, let’s dive in!
All entities operating in the state of New York under banking law, insurance law, or financial services law are considered covered entities for the New York Cyber Security Regulation. Specifically, some examples of covered entities could be:
However, 23 NYCRR 500 also lists entities that are exempt from having to comply. Specifically, the exemption list for the New York Cyber Security Regulation includes organizations that:
To comply with the New York Cyber Security Regulation, businesses must take a few steps. The level of work required to comply varies greatly between businesses. Furthermore, the work required depends on the level of cyber security maturity each organization possessed before the regulation was put in place.
As a result, if you are a covered entity, you should know your organization’s cyber security posture. Specifically, look at the checklist below to see where your organization stands in regards to meeting compliance requirements.
All documentation and information relevant to the covered entity’s cybersecurity program shall be made available to the NYDFS superintendent upon request.
As a result, it’s important to have the proper documentation that meets each of the requirements outlined in 23 NYCRR 500.
aNetworks, Inc. provides customizable 23 NYCRR 500 WISP to take the burden of compliance off your hands.
For pricing information and more details on our 23 NYCRR 500 Written Information Security Program (WISP) see here.
The New York Cyber Security Regulation currently doesn’t provide any detail on how penalties or fines will be calculated. This is a concern for covered entities, as it could mean the sky’s the limit.
However, security and financial experts predict that NYDFS will calculate fines based on the existing New York Banking Law which uses the following benchmarks:
But, as noted, 23 NYCRR 500 is a relatively new regulation, so organizations will learn by example in terms of how the regulation is enforced as well as how it is penalized.
With those numbers, however, putting off implementation (knowing and willfully) for just one week could cost an organization half a million dollars.
Subsequently, these figures have put many of the covered entities into a frenzy to meet compliance requirements. Many of the affected organizations don’t have enough in-house resources or IT staff to comply with what many are calling high-stake and burdensome regulations.
As a result, covered entities have been outsourcing compliance issues to cyber security organizations. Organizations are using cyber security experts, rather than adding pressure to their own IT staff, to complete the risk assessment as well as create the cyber security program and policies.
The total cost of outsourcing compliance is around 1-2% of what the predicted penalties stated above would cost.
On the one hand, it’s easy to become overwhelmed by the New York Cyber Security Regulations. However, it doesn’t need to be a stressful process.
On the other hand, the risk assessment lays the groundwork for most of the steps your organization must take to become compliant. Luckily, a risk assessment is free and easy to use.
Furthermore, aNetworks offers one of the only automated cyber security risk assessment tools available online, and it’s free to use.
Moreover, after you take the risk assessment, we offer a complimentary meeting with one of our cyber security analysts to get the ball rolling on implementing the required cyber security programs and policies.
Additionally, if you need any assistance understanding the 23 NYCRR 500 compliance checklist, feel free to contact one of our security analysts to get you up to speed.