In the wake of several high-profile cybersecurity breaches over the past few years, 42 states have introduced more than 240 bills aimed at reining in the frequency and severity of cybersecurity incidents targeting U.S. organizations.
Back in August 2017, the New York Department of Financial Services enacted Cybersecurity Regulation 23 NYCRR 500.
The regulation requires banks, insurance companies, and other regulated financial services organizations operating in the state of New York to comply with rigid requirements designed to protect the data and soundness of the financial services industry.
The regulation doesn’t just apply to financial organizations operating in New York. It also requires agencies and branches of non-U.S. banks that are licensed to operate in the state to assess their cybersecurity risk profiles.
The regulation mandates that organizations put into place minimum cybersecurity standards based on a risk assessment, employee training, and other controls designed to protect consumer data and ensure the safety and soundness of the state’s financial services industry.
The New York Regulation also stipulates that each covered entity implement and maintain written policies approved by the entity’s senior officers. This part of the regulation makes sure that covered financial organizations don’t “conveniently forget” about compliance or shift it to the back burner.
In addition, covered financial organizations must address the following:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third party service provider management
- Risk assessment and incident response
You might, at this point, be saying to yourself, “How do I comply with the regulation?”
There are ways for you to take a proactive, data-driven approach to comprehensive cybersecurity and bring your organization into full compliance. You will be able to protect confidential data and safeguard sensitive customer information.
Studying the details of the regulation is a great start because some financial organizations―mostly smaller businesses―are exempt.
Another way to remain in compliance is to understand that the regulation mandates that each covered entity must use effective controls―like multi-factor authentication or risk-based authentication―to protect against unauthorized access to nonpublic information (personally identifiable information (PII) such as names, social security numbers, and so on) or IT networks.
Other ways to comply are to provide your employees with cybersecurity awareness training programs and put into place comprehensive policies monitoring the activities of authorized users.
Another way to comply is to pay for cybersecurity penetration testing to assess the strengths and weaknesses of your financial organization’s systems and policies. Additionally, look into whether a SOC 2 report, with an emphasis on the proper Trust Service Principles, will give you an enhanced security posture.
Compliance to regulations alone won’t make your financial services organization 100 percent safe, but it will make your cybersecurity defenses more robust and harder to defeat.
Compliance with NYCRR 500 may not be easy for some organizations because it requires substantial rethinking of cybersecurity policies, but the regulation is comprehensive and it aligns with best practices of security like ISO 27001 and NIST/FISMA. Any implementation of its components will reduce the risk of a data breach occurring at your financial services organization.