A Cyber Bite of the Big Apple: Discussing 23 NYCRR 500

A Cyber Bite of the Big Apple: Discussing 23 NYCRR 500 864 486 N2K

JPMorgan Chase, Citigroup, Bank of America, Goldman Sachs and Many Others Must Comply With New Cybersecurity Standards

The New York Department of Financial Services (DFS) has taken an unprecedented step. In the first of its kind in the country, DFS has released a new set of cybersecurity standards directly impacting major financial institutions including JPMorgan Chase, Citigroup, Bank of America, and Goldman Sachs.

Known as 23 NYCRR 500 and taking effect on March 1, 2017, these guidelines will establish a baseline of cybersecurity within the financial services industry – a high-risk target that has seen attacks by cyber criminals, terrorist organizations, and nation state actors.
Financial services is the largest industry in New York City, representing 15% of the municipal economy. Affected organizations include some of the most iconic and pervasive names in global finance. But this isn’t news just for New York Bankers – these cybersecurity standards will affect any companies and customers doing business with these companies.
New York Governor Andrew Cuomo is optimistic that that the new rules will hold both financial institutions accountable and also improve security. He stated, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”

23 NYCRR 500 Requirements

The following list of requirements are the highlights of 23 NYCRR 500:

  • Each company must have a written cybersecurity policy (or policies), which is approved by a senior officer or board of directors.
  • Each organization must designate an individual to be responsible for overseeing and executing the company’s cybersecurity program and enforcing its cybersecurity policy.
    • The Chief Information Security Officer (CISO) role is responsible for ensuring that the organization and its third party partners comply with the new standards outlined in 23 NYCRR 500.
  • Each organization must perform a risk assessment to determine their unique risk profile and identify critical vulnerabilities.
    • To ensure that the risk assessment is up to date and keeps pace with technological advancements, organizations should also perform continuous monitoring and periodic penetration testing.
  • After performing the risk assessment, companies are responsible for recording the findings and implementing audit trails designed to detect and respond to cybersecurity incidents, particularly those events that have a reasonable likelihood of materially harming the operations of the company.
  • Companies must routinely assess and review user privileges, to ensure that the only people who can view private information are those that need access as part of their job responsibilities.
  • Organizations must improve their overall cybersecurity posture by improving their training and awareness regiments, using secure development practices when creating software applications in-house, protecting information using two-factor authentication, limiting data retention where possible, and encrypting sensitive data.
  • Organizations must create an incident response plan. This written outline ensures that the organization can promptly respond to, and recover from, a cybersecurity incident or data breach.

Who is Affected?

New York’s DFS cybersecurity requirements are designed to protect the financial service industry and consumers from cyber-related risks. As such, banks, insurance companies, and other related financial services institutions regulated by NY DFS are affected by 23 NYCRR 500’s provisions. That said, even if your organization is not headquartered in New York, or not in the financial sector, you could still be affected because the requirements also include a provision on third parties. If you are partnered with a New York company regulated by the NY DFS, you will have to address certain cyber issues within your organization as a result. This is key because often attackers will comprise a smaller, subsidiary company in pursuit of a larger target.
Senior business leaders must pay attention to these regulations — even if you are not regulated by New York’s DFS — because they may impact your organization in the long run. New York is leading the way for other industries and other states. Even if the specific requirements vary, one thing is certain: cybersecurity standards are coming soon to a state near you.

N2K’s Structured Approach Simplifies Risk Management

The requirements outlined in 23 NYCRR 500 are not random. The recommendations are structured and designed to address a variety of cyber risk issues that threaten the financial sector and its customers. Cyber Resolve, N2K’s board and executive training program, operates in a similar, structured way to equip directors and executives with the knowledge and tools to effectively oversee and manage cyber risk.
Prepare Monitor React GraphicOur program tackles cyber risk through three main frameworks: Prepare, Monitor, and React. The Prepare phase will help you identify cyber threats and threat actors, and calculate the risks they pose to your business. 23 NYCRR 500’s mandate that an organization to perform a risk assessment and understand their threat landscape aligns with our Prepare phase. It is in this phase, too, that the foundations of a cybersecurity program are set.
Our next phase, Monitor, ensures that organizations know the effectiveness of their cybersecurity program in the form of policies and controls, as well as metrics for evaluating your people and processes. 23 NYCRR 500 emphasizes that security procedures and guidelines must be evaluated and updated at least annually. Our Monitor phase will introduce you to a Cyber Scorecard which will help you evaluate the health of your security program.
Our React phase recognizes, as 23 NYCRR 500 does, that cyber breaches remain a reality no matter how prepared your organization is. Cyber Resolves ensures C-suite leaders understand their roles in incident response procedures. Senior leaders need to play an active role in the planning and execution of their organization’s Business Continuity Plan and Disaster Recovery Plan, two strategies mandated by 23 NYCRR 500. Finally, all attendees participate in a breach simulation near the end of our program, to experience a realistic cybersecurity incident, apply the skills they’ve learned, and discover ways to respond to a high-stress situation appropriately.

To Follow Regulations, First Understand Them

23 NYCRR 500 is no simple regulatory document. It calls for advanced security protections and actions. The best way to address these regulations is to fully understand them before you implement them. Taking this first step will put you on a path to cyber literacy. And cyber literacy is the key to cyber resiliency. N2K’s executive programs either in a workshop setting or in your boardroom – provide engaging content that will help you learn to manage cyber risk. If you are a senior business leader looking for cybersecurity solutions, you can start or continue your journey by enrolling in our New York Cyber Resolve workshop scheduled for May 1st. Take your cyber literacy to the next level. Enroll today.