Effective March 1, 2017, Maria T. Vullo, New York’s Superintendent of Financial Services, promulgated Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations establishing cybersecurity requirements for financial services companies operating in the State of New York.
The general purpose of the regulation is to ensure that financial services entities do their due diligence in protecting their customers and information systems in an exhaustive manner to prevent and safeguard against cyberattacks. The regulation requires covered entities (CEs) to:
- Adopt/maintain a documented comprehensive cybersecurity program and all supporting documentation and/or procedures.
- Identify a chief information security officer (CISO), along with a trained support staff, as the person(s) responsible for the cybersecurity program.
- Direct their CISO to report annually in writing to the board of directors or equivalent body on cybersecurity programs and risks.
- Perform annual penetration testing and biannual vulnerability assessments.
- Maintain for at least five years records that can reconstruct transactions to support normal operations.
- Maintain for at least three years audit trails designed to detect and respond to cybersecurity events.
- Limit access to least privileged users and perform periodic reviews of that access.
- Document procedures on secure application development (in-house and outsourced). Procedures are to be reviewed and updated as necessary by the CISO or a qualified designee of the CE.
- Perform a periodic risk assessment of their information systems and nonpublic information.
- Utilize qualified personnel for cybersecurity.
- Provide security staff with adequate training to perform their duties.
- Verify that security staff are taking steps to maintain currency of cybersecurity threats and countermeasures.
- Establish a due diligence process used to evaluate third-party practices and perform periodic assessments of third parties based upon risk they present.
- Provide all personnel with regular cybersecurity awareness training that is updated to reflect risks identified by the CE in its risk assessment.
- Maintain a data retention/disposal program based on business purposes/needs and regulatory requirements.
- Monitor user activity, to detect unauthorized use or access.
- Use encryption to protect nonpublic information at rest or in transit over external networks, or use other secure means (compensating controls) when encryption is not feasible. All must be reviewed and approved by the CE’s CISO. These controls and encryption mechanisms must be reviewed at least annually by the CISO.
- Formalize an incident response plan.
- Notify the Superintendent as promptly as possible, and no later than 72 hours after, any event that is reported to a government body, self-regulatory agency or any supervisory body, or if the event has a reasonable likelihood of materially harming any part of normal operations at the CE.
- Annually submit to the Superintendent in writing certification that they are compliant with all requirements. All supporting documentation, evidence and records that support this compliance must be maintained for five years.
For more information on how Sirius Security Solutions can help with 23 NYCRR 500 compliancy and your enterprise security needs, visit our Security & Risk Management webpage or contact us today.