What New York State’s Cybersecurity Regulation Deadline Means for Your Organization

A sweeping set of new regulations are about to hit its final deadline for New York’s financial sector. On March 1, the last provisions of New York State’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) come into effect. Enacted by New York’s Department of Financial Services two years ago, 23 NYCRR 500 establishes “minimum standards… designed to promote the protection of customer information as well as the information technology systems of regulated entities.” New York’s regulations are the first in the United States to require cybersecurity policies and protections from financial institutions that do business in the state, as well as third parties doing business with or supporting those institutions.
 

Regulation Requirements in Short

The new rules require relevant organizations to institute major cyber policy changes, including:

1. Adopting a robust cybersecurity program that includes regular penetration testing and regular vulnerability assessments;
2. Designating a Chief Information Security Officer (CISO) to oversee the creation and implementation of cybersecurity policies;
3. Creating an ongoing reporting system for cyber incidents.

The CISO (or equivalent) is also required to submit an annual written report on an organization’s cybersecurity program to the board of directors, other governing body, or senior officer, which must sign off on the organization’s cyber strategy and submit a Certification of Compliance.
 

Going Beyond the Bare Minimum: Why Implementing these Policies is Smart Security

While compliance protects a company from regulatory fines and investigations, your organization should aim to go beyond the legal bare minimum. Meeting these standards alone may satisfy government regulators, but still not adequately address the cyber risks your organization faces. Implementing strong policies based on specific needs can help an organization manage its cyber risk more effectively by institutionalizing contingency planning, policy authority, and incident reporting. Developing cybersecurity policies under a CISO can further mitigate the risk associated with a cyber incident, and establishing reporting requirements means that an organization will be more transparent. Taking the initiative on cybersecurity not only satisfies these regulations, but can also help a compliant organization avoid the longer-term costs associated with a data breach.
 

The Future of Cyber Regulation

Over the past few years, and in lieu of broader federal laws or regulations, U.S. states have taken the lead in implementing cyber information security regulations that strengthen data and privacy protection.The mandates in 23 NYCRR 500 represent the first of what could potentially be many other new state government cyber security requirements. In 2017, both Colorado and Vermont enacted regulations for the securities industry meant to establish minimum data protection requirements, mandate the conduct of annual cyber risk assessments, and in Vermont’s case require the purchase of cybersecurity insurance and identity restoration services in the event of  a data breach. In 2018, California passed both a Consumer Privacy Act giving consumers greater control over their data and an Internet of Things (IoT) law regulating minimum security features on IoT devices. It is likely that regulations similar to 23 NYCRR 500 will continue to proliferate through the United States as cyber security gets greater attention at the local, state, and federal levels.
 

N2K is Here to Help

Whether you are a CISO, a board member, or other senior executive, understanding cyber risk and implementing risk mitigation policies is critical to adhering to these types of regulations. Even if your organization is not directly impacted, you should still seek to enact these organizational changes. N2K is here to help. Our Resolve program is designed to quickly get senior executives up to speed on essential cyber compliance issues and ways to mitigate cyber risk. Be sure to check out our Digital Cyber Risk Seminars, which come with our complimentary Executive Cyber Briefings — a monthly newsletter that wraps the latest cybersecurity headlines, and explains how they impact your business. That way you can stay on the right side of regulators, and protect your organization from getting slapped with costly fines and fees.