How the Next 30 Days May Change Your Company Forever

The New 23 NYCRR 500 Cyber Security Regulations and What it Means for You

By Jarra Gruen, MDS

In the light of recent global, crippling malware & ransomware attacks, it has never been so imperative to have a standard cyber security protocol in place.

If you are a Financial Company operating in NY State, this is not only a suggestion but a mandatory requirement that is going into effect August 28th, 2017.

NY State has “passed a new law” related to Cyber Security, 23 NYCRR Part 500:

This law says any organization supervised by the NY State Department of Financial Services (NYSDFS) must have a COMPLETE cyber security program in place by August 28, 2017.

That’s correct: if you have not done so already, you have approximately one month to implement a full-scale cyber security program.

In addition to having the program established, you MUST designate someone as the Chief Information Security Officer (CISO).

So, what does this mean for your organization?

If you are designated as a financial services company (insurance, banking, mortgage brokers, check cashers, health insurers, hedge funds, etc.) in the State of New York:

1. You must designate a CISO

2. Build a cyber security program and

3. Have it up and running by August 28th, 2017

Failure to build it and prove its existence and viability can result in heavy fines and scrutiny from the state regulators. There are a few organizations that would be exempt from this new law, but those exemptions will only impact less than 1% of the financial services companies in New York State.

Feeling overwhelmed about all that needs to be done before this deadline? Not to worry, the compliance experts at MDS are here to assist you every step of the way. We break down what is important and customize a compliant solution that ensures you are not only ready for the deadline, but that your cyber security protocol is enhanced  in the process.

Learn how to be DFS Compliant with our Complimentary Checklist!

Download The 23 NYCRR 500 Checklist

What does the state want? 

What exactly must you do to keep the state happy executing the NYSFSCA? There are four key components which need to be addressed:

  1. Hire, contract or designate a CISO to build, implement, oversee and enforce a sound cyber security program;
  2. Establish/build said cyber security program;
  3. Write, adopt and enforce a cyber security policy
  4. Enact and implement several security controls requested by the NYSDFS

How do you do the above?

The simplest is the first: Hiring a CISO to do the remaining three. Please note that the CISO can be a contracted by a third party, or can be hired internally.

Frequently, an organization will attempt to build a cyber security program but isn’t aware of the nuances involved in making such a program viable. Or they have someone throw together some policies, only to have them not be enforceable because they don’t have the right leadership in place…leadership that knows how to move policies through the various acceptance phases.

The state has the law broken down into twenty-two sections (Section 500.01 to Section 500.22), of which 14 are particularly relevant, which we have broken down for you as follows:

02-The Cyber security Program

03-The Cyber security Policy              

04-The CISO

05-Penetration Testing                        

06-A cyber security audit trail      

07-User Access

08-Application Security                         

09-Risk Assessments                            

10-Your Cyber security Team

11-Vendor Management                        

13-Data Retention rules                      

14-Security awareness training

15-Encrypting nonpublic data            

16-Incident Response Plans

The CISO

The thought leader of your cyber security protection program needs to lead the charge in assessing the vulnerabilities within your organization. The hiring of the CISO (500.04) will drive the rest of the controls required of the NYSDFS:

  • Do you have a robust cyber security protection program? (500.02)
  • Do you have a set of policies that govern your cyber security program? (500.03)
  • Is your infrastructure secure? (500.05)
  • Is your organization producing audit trails? (500.06)
  • Who establishes what user has access to what? (500.07)
  • Are your Applications secure? (500.08)
  • Has your organization undertaken a thorough risk assessment? (500.09)
  • Do you have a coordinated cyber security team as required by NYCRR? (500.10)
  • Do you have effective Third Party Vendor Management? (500.11) (If you don’t think that’s important, ask Target:
  • One of their vendors was breached and the hackers used that HVAC vendor as a conduit into the Target network.)
  • Does your organization comply with the Data Retention Rule? (500.13)
  • Does your organization provide appropriate Security Awareness Training? (500.14)
  • Does your organization encrypt non-public data? (500.15)
  • Does your organization have appropriate incident response plans? (500.16)

If you do not currently have a CISO in place, you can utilize a Third-Party, such as MDS, as your CISO solution.

What This Regulation Means Nation-Wide:

This could change everything. The breach notification law, SB 1386 rolled out by California in 2003 set off tremors through the IT and Information Security (IS) world. For the first time, a state would tell any business operating in their state that if there was the possibility of a breach of data, they, the business, would have to notify everyone potentially affected by the breach.

Like with CA-SB1386, other states can sit back and watch, see how this new 23 NYCRR 500 implantation goes and, if it’s successful, they can write their own laws to do the same thing. All eyes are on NY State, and with MDS by your side, we can make sure that your organization is covered against the growing threat of Cyber Crime while also ensuring you aren’t penalized by not being compliant.

Contact the experts at MDS to learn about the custom solutions we provide in order to ensure your organization is 100% compliant by the August 2017 deadline.

What does the state want? 

What exactly must you do to keep the state happy executing the NYSFSCA? There are four key components which need to be addressed:

  1. Hire, contract or designate a CISO to build, implement, oversee and enforce a sound cyber security program;
  2. Establish/build said cyber security program;
  3. Write, adopt and enforce a cyber security policy
  4. Enact and implement several security controls requested by the NYSDFS

How do you do the above?

The simplest is the first: Hiring a CISO to do the remaining three. Please note that the CISO can be a contracted by a third party, or can be hired internally.

Frequently, an organization will attempt to build a cyber security program but isn’t aware of the nuances involved in making such a program viable. Or they have someone throw together some policies, only to have them not be enforceable because they don’t have the right leadership in place…leadership that knows how to move policies through the various acceptance phases.

The state has the law broken down into twenty-two sections (Section 500.01 to Section 500.22), of which 14 are particularly relevant, which we have broken down for you as follows:

02-The Cyber security Program            03-The Cyber security Policy              04-The CISO

05-Penetration Testing                            06-A cyber security audit trail           07-User Access

08-Application Security                          09-Risk Assessments                            10-Your Cyber security Team

11-Vendor Management                         13-Data Retention rules                       14-Security awareness training

15-Encrypting nonpublic data             16-Incident Response Plans

The CISO

The thought leader of your cyber security protection program needs to lead the charge in assessing the vulnerabilities within your organization. The hiring of the CISO (500.04) will drive the rest of the controls required of the NYSDFS:

  • Do you have a robust cyber security protection program? (500.02)
  • Do you have a set of policies that govern your cyber security program? (500.03)
  • Is your infrastructure secure? (500.05)
  • Is your organization producing audit trails? (500.06)
  • Who establishes what user has access to what? (500.07)
  • Are your Applications secure? (500.08)
  • Has your organization undertaken a thorough risk assessment? (500.09)
  • Do you have a coordinated cyber security team as required by NYCRR? (500.10)
  • Do you have effective Third Party Vendor Management? (500.11) (If you don’t think that’s important, ask Target:
  • One of their vendors was breached and the hackers used that HVAC vendor as a conduit into the Target network.)
  • Does your organization comply with the Data Retention Rule? (500.13)
  • Does your organization provide appropriate Security Awareness Training? (500.14)
  • Does your organization encrypt non-public data? (500.15)
  • Does your organization have appropriate incident response plans? (500.16)

If you do not currently have a CISO in place, you can utilize a Third-Party, such as MDS, as your CISO solution.

What This Regulation Means Nation-Wide:

This could change everything. The breach notification law, SB 1386 rolled out by California in 2003 set off tremors through the IT and Information Security (IS) world. For the first time, a state would tell any business operating in their state that if there was the possibility of a breach of data, they, the business, would have to notify everyone potentially affected by the breach.

Like with CA-SB1386, other states can sit back and watch, see how this new 23 NYCRR 500 implantation goes and, if it’s successful, they can write their own laws to do the same thing. All eyes are on NY State, and with MDS by your side, we can make sure that your organization is covered against the growing threat of Cyber Crime while also ensuring you aren’t penalized by not being compliant.

Contact the experts at MDS to learn about the custom solutions we provide in order to ensure your organization is 100% compliant by the August 2017 deadline.

Our Pledge:

Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.

Contacts:

NYC Headquarters:
307 West 38th Street, Suite 1801
New York, NY 10018
Tel: 646-744-1000

Miami Office:

Tel: 786-899-2980
San Juan Office:
Tel: 646-460-6229

Email
: contactus@mdsny.com