Do you know if your business is compliant with the NYS Department of Financial Services 23 NYCRR 500 Cybersecurity Requirements? Read on to learn more about this regulation and upcoming deadlines from Shikole Struber, ATEC Group Account Executive and Cybersecurity Champion.
AS: To begin, can you expand on what New York’s Cybersecurity Regulation 23 NYCRR Part 500 includes?
SS: There are a myriad of specific standards listed in the law, but the overarching goal is to be sure that every covered entity develops and implements a written, actionable program to help mitigate their cybersecurity risks. The regulation aims to make companies think about and assess the real cybersecurity hazards they face and address them before they turn into an issue like we’ve seen with Equifax and other companies in the news lately.
Two of the major requirements for a covered entity include Multi Factor Authentication and the Continuous Monitoring of Systems. The full list of standards can be found here. I would be happy to explain the standards further to businesses that are unsure of their compliance.
AS: What are the specific deadlines for this new regulation?
SS: Companies are expected to file either their compliance or exemptions annually by Feb 15. These filings are to certify compliance up until that point. However, March 1, 2018 was the deadline for new sections 500.04.b (CISO), 500.05 (includes pen test/vulnerability assessment), 500.09 (risk assessment), 500.12 (MFA) and 500.14b (personnel training)
AS: What happens if you don’t comply with these security requirements in a timely fashion?
SS: The Department of Financial Services and consumers are able to file claims against banks, insurers and other financial services firms for breach of such certification. The proposal notes that its requirements will be enforced “under any applicable laws,” including the New York Banking Law and New York Insurance Law.
Additionally, individual civil and criminal penalties for intentionally making false statements to DFS can be filed. This could include jail time, loss of licenses, and more.
AS: Are there any exemptions to the new law?
SS: Yes, companies that fall into one or more of the groups below are exempt from the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 in the regulation:
- Fewer than 10 employees (Including independent contractors)
- Less than $10 Million in year-end total assets
- Less than $5 million in gross revenue
A full list of exemptions can be found directly in the cybersecurity regulation. It’s important to note that companies still must file their limited exemption on the Department of Financial Services website!
AS: How can ATEC Group help ensure that you are compliant?
SS: Many companies do not have the resources on staff to adequately monitor the security of their environment. We can help! Our team can also suggest the best security products to bring your environment up to the new standards, as well as assist in getting any necessary cybersecurity policies created. If you’d like assistance in evaluating your compliance, please feel free to reach out to me.