NYS DFS Cybersecurity Regulations23 NYCRR 500
Are you ready?
Effective March 1, 2017, financial services companies in New York State have between 180 days and two years to comply with rigorous new cybersecurity regulations. Read them here.
The new regulations affect banks, consumer lenders, money transmitters, insurance companies, and certain other financial institutions.
What Are Your Key Responsibilities?
Your organization must establish a Written Information Security Program (WISP) that includes a Chief Information Security Officer (CISO) and a yearly risk assessment. See below for more information.
Your program must include a yearly risk assessment that identifies IT risks and strategies for mitigation. You may be exempt from implementing certain controls based on the assessment results.
Monitoring and Reporting
Once you have the results of your assessment, you must implement incident-monitoring controls and procedures, as well as an audit trail that keeps records for five years.
Finally, you must file for annual certification of your cybersecurity program with the NYS Department of Financial Services.
What is a WISP?
Under 23 NYCRR 500, your organization must develop, implement, and maintain a written cybersecurity policy that includes the following:
What kind of risk assessment?
The organization must conduct periodic assessments that identify cybersecurity risks. You must have policies and procedures in place that include:
Criteria for evaluating and categorizing risks
Criteria for assessing the confidentiality, integrity, security and availability of your systems
Requirements describing how risks will be mitigated or accepted, and how the cybersecurity program will address the risks
What needs to be monitored?
Any systems identified as at-risk by your Risk Assessment and incorporated into your cybersecurity program. This could include network appliances, databases, servers, and other systems.
What reports need to be generated?
Every organization under 23 NYCRR 500 compliance must implement an audit trail with a five-year retention period. This can include system logs, data-governance software, file audits, and anything else identified by the Risk Assessment.
Your Next Steps
We’d like to meet with you! Our certified security experts are ready to help you create a roadmap toward successful NYS DFS certification. They’ll help you prioritize critical aspects of compliance, and create a program that won’t just pass an audit – it will make your organization more secure.
Promenet Inc. is one of New York City’s premier providers of IT consultation, integration, and managed services. We were recently recognized by CRN magazine as one of the top 250 Managed Services Providers in North America for the fourth year in a row.