On Feb. 15, the first of several important milestones in NewYork's new cybersecurity regulations, called 23 NYCRR 500, will compel the state's financialservices companies to adopt policies to keep their data safe. Theregulations, handed down by the New York State Department ofFinancial Services, are the first of their kind in the country.
|Related: Certification filing deadline for N.Y.'scybersecurity regs approaches
|As other states consider the adoption of similar regulations,financial services companies in the rest of the U.S. would do wellto follow the roll-out of 23 NYCRR 500 and the ways in whichcovered entities are working to meet the newrequirements. Affected companies include banks,insurers and investment companies licensed by or operatingin New York State. 23 NYCRR 500 excludes companies with fewer than10 employees and contractors, or less than $5 million in New Yorkgross annual revenue, or less than $10 million in year-endassets.
|Related: Insurer compliance and N.Y.'s new cybersecurityregulations
|Building a plan and a policy
Covered entities will have had 180 days to establish andmaintain a written cybersecurity program to protecttheir information systems. This program should be based on thecompany's risk assessment, and should be able to protect sensitivedata from breaches or manipulation by bad actors.
|Companies must also show a written cybersecurity policy that hasbeen approved by a Senior Officer or Board of Directors, anddocument procedures for safeguarding information systems along withany stored, sensitive data.
|Affected companies should consider how already-existingcybersecurity controls are documented, and whether the policyincludes administrative, logical and physical safeguards for dataand systems.
|New York's cybersecurity laws also require covered entities toinstall a Chief Information Security Officer tooversee and implement the program and enforce the policy. If acompany does not already have a CISO, it's worth consideringwhether the hiring of a new team member is the best way forward. ACISO from an affiliate organization or a third-party serviceprovider would also fulfill this requirement.
|Related: 5 things to know about the NAIC's new cybersecuritymodel law
|Companies that have an affiliate that maintains a cybersecurityprogram that matches the requirements set forth by 23 NYCRR 500 canadopt that program. Finance leaders also should be aware of themany different guidelines available to frame a cybersecurityprogram, such as NIST, ISO 27001, COBIT, or COSO.
|
Feb. 15 will mark the compliance deadline in New York statefor the first round of cybersecurity requirements. (Photo:iStock)
|Training for tomorrow's cybersecurityneeds
A compliant cybersecurity program needs qualifiedpersonnel to drive it. Like the CISO, these need not be newfull-time employees; affiliates or third-party contractors willsatisfy New York's regulations. But no matter where anorganization's cybersecurity team comes from, they must absolutelyunderstand IT infrastructure and basic cybersecurity elements.
|These IT professionals also need to be apprised of a company'saccess privileges, which are required by 23 NYCRR 500 to limitaccess to information systems that store non-public information.These privileges should be periodically reviewed and updated.
|When things go wrong
Finally, companies need a written incident response plan.The best plans are concise and flexible, ableto adapt to evolving cyber threats instead of trying to plan forevery possibility. One plan tested 100 times is superior to a planthat tries to account for 100 different types of emergencies.
|When crafting a response plan, consider the company goals thatneed to be met. Who will be involved in a data breach? What willtheir responsibilities be? Who has the authority to make decisionswhen an incident occurs? How often will the plan be tested?
|These requirements are only the beginning of the cybersecuritytransformation that will take place in New York's financialservices companies over the next two years. Future milestones will enact guidelines forpenetration testing and vulnerability assessments, data retentionlimits, training, and encryption.
|The need for these safeguards has never beenclearer. Last year, the IBM X-Force Threat Intelligence Indexranked financial services the top target of data breaches, attacked65 percent more often than any other industry. New York may welllead the nation with the introduction of these regulations, as itled in 1984 with the country's first vehicle safety belt laws.
|Christopher Roach is the NationalIT Practice Leader and a Managing Director at CBIZ Risk &Advisory Services. He can be reached by sending email to[email protected].
|See also:
||Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
