New York Blazes the Trail for Financial Sector Cybersecurity Requirements with 23 NYCRR Part 500

 On February 15, 2018, the New York Department of Financial Services (DFS) cybersecurity regulation’s first certification of compliance became officially due for all covered entities and licensed persons. New York is the first state in the U.S.A. to compel financial services companies to comply with a variety of cybersecurity standards, thereby leading the cybersecurity charge in the financial sector. The financial industry has constantly been a target for cybercriminals, as financial data (both payment card information and personally identifiable information) remains a darling of the darknet. Whether through ransomware, unvetted vendors, denial of service attacks, or other exploits, the financial sector will always have a cyber-bullseye on its back.

Pursuant to 23 NYCRR Part 500, covered entities include “any Person (individual or non-governmental entity) operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  Therefore, banks, insurance companies and professionals, and many other financial institutions in New York state must comply with significant measures that acknowledge the vulnerability of the financial sector. Penalties, in addition to dealing with the fallout of a cyberattack or data breach, include potential litigation under New York Banking Law that could lead to fines up to $250,000 or removal of licenses.

In addition to establishing a program that protects the “confidentiality, integrity and availability” of a covered entity’s information system (Sec. 500.02), and written policies that address information security, data governance and classification, business continuity, disaster recovery, systems, and network security and monitoring, and access controls, among other areas (Sec. 500.03), covered entities must also designate a Chief Information Security Officer to oversee, implement and enforce the program and policies (Sec. 500.04).

The foundation for the plan of action each covered entity must take to comply with 23 NYCRR Part 500 is built on the risk assessment (Sec. 500.09). Generally, risk assessments address critical vulnerabilities and close security gaps and should be conducted periodically no matter in what sector the organization sits – they are the foundation of any solid cybersecurity program. Capsicum Group’s team of professionals are equipped to tackle the most complex cybersecurity compliance projects throughout the United States and abroad – including but not limited to penetration testing, auditing, policy drafting, and training. Do you have questions about 23 NYCRR Part 500 and what you need to do moving forward? Capsicum Group is available at www.capsicumgroup.com.