The New York State Cybersecurity Requirements (23 NYCRR 500) for financial services companies went into effect on March 6, 2017. The 43 requirements in this regulation may seem daunting, especially considering the numerous other state and federal cybersecurity regulations that are applicable to covered entities. Rather than running out to implement them before the August 28, 2017 deadline, a better approach is to build out a security framework, through which 23 NYCRR 500 and other regulations can be simultaneously satisfied and tracked. Use of a security framework has the added benefit that you will be following best security practice to protect your organization’s information and customers. The NIST Cybersecurity Framework (CSF) is just such a framework for this purpose (Draft Version 1.1 is available on the NIST website here).
The new cybersecurity regulation is a requirement for all but the smallest financial institutions in New York State. These include: banks, insurance companies, agents and brokers, trusts, mortgage brokers, private banks and 20 other business categories listed on the DFS website. Many firms may not be familiar with cybersecurity regulations, although headlines constantly report on security breaches. According to the NYS Attorney General, data breaches in New York State were up 40% in 2016; hence the new law.
The most important thing to note about 23 NYCRR 500 is that it is based on the NIST CSF. NIST CSF is built around the five functions of: Identify, Protect, Detect, Respond and Recover.
You can, therefore, use the CSF as a basis for meeting the new regulations. The big benefit of this approach is that you can then use CSF to support other compliance regulations you may need to meet. By following the CSF security framework, you will be able to effectively report on a range of compliance requirements. If you accept credit cards, you will need to be PCI DSS 3.2 compliant. If you are a NYS registered HMO, then you will also need to be HIPAA compliant.