Cybersecurity vulnerabilities are a constantly growing concern, and it’s increasingly important for organizations to adopt formalized cybersecurity programs. Compromised information, whether in the hands of organized crime or rogue individuals, can seriously impact the security of employees, the company, and most importantly, customers. This growing threat presents a double challenge for organizations, which must manage both the threat itself and ensure compliance with New York cybersecurity regulations, including 23 NYCRR 500.
23 NYCRR 500 is a cybersecurity regulation passed by the New York State Department of Financial Services (DFS) in early 2017. According to the regulation, the purpose of the NYDFS cybersecurity regulations is to “promote the protection of customer information as well as the information technology systems of related entities.”
The New York cybersecurity regulations are applicable to all companies under NYDFS supervision, including state-chartered banks, charitable foundations, credit unions, insurance companies, etc.
To follow the NYDFS cybersecurity regulations, companies are now required to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Additionally, senior management must “be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with this regulations.”
Specific 23 NYCRR 500 cybersecurity requirements include (but are not limited to):
- Risk assessments to inform the program’s design
- Identification and assessment of external cybersecurity risks
- Controls, policies, and procedures for mitigating those risks
- Fulfillment of regulatory reporting requirements