Why 23 NYCRR Part 500 Cybersecurity Regulation is Important for the financial services industry?

New York City, often recognized as the financial capital of the world has been on the headline for numerous cyberattacks in the past few years. Most industries have seen a rise in cybercrime cases, however, financial services industry has been viciously targeted in particular. Sensitive information, heavy reliance on computer network for operations and capital-rich stakeholders are some of the common factors that make the financial services industry such a lucrative target for cybercriminals.
The New York Department of Financial Services (DFS) introduced 23 NYCRR Part 500 regulation to standardize cybersecurity policies and practices across financial services companies operating in New York. Compliance with this regulation is aimed to provide better protection against cyberthreats by safeguarding sensitive customer data and promoting integrity of the information technology systems of regulated entities.
Whether your organization is required to comply with 23 NYCRR Part 500 or not, cybersecurity experts advocate having a well-oiled cybersecurity policy in place. This regulation should not be considered just as a formality that organizations have to oblige in order to comply. With the deepening cybersecurity crisis, businesses must embrace the regulation for their own and stakeholders’ interest. Here are some of the major importance and benefits of complying with 23 NYCRR Part 500:

• The regulation clearly states a need to have a proper cybersecurity policy in place. Despite the looming threat, many businesses either do not focus, invest or pay attention to drafting a cybersecurity policy that enlists standard measures, protocols and steps. As a result, they are more likely to get exposed for potential cyberattacks.

• The regulation is drafted by cybersecurity experts with a vision to better protect the interest of regulated entities. The regulation has come in place after a lengthy review of multiple factors including past cyberattacks cases, common vulnerabilities that hackers take advantage of, cybersecurity best practices, etc. The measures are outlined to proactively protect businesses against cyberthreats.

• The regulation requires conducting annual penetration tests, periodic risk assessment and bi-annual vulnerability assessments. This is an excellent method of periodically reviewing implemented measures and plugging any loopholes that could expose the organization to potential data breach. Cybersecurity criminals update their methodology regularly and hence the cybersecurity measures also need to be regularly evaluated and updated.

• The regulation emphasizes on training the workforce about cybersecurity best practices. It is a common practice for cybercriminals to break the security wall by preying on non-technical workforce through phishing email, corrupt links, insecure internet access, etc. Training workforce on cybersecurity is a highly rewarding exercise in fight against cyberattack.

• The regulation commands encrypting non-public information. This step is crucial in protecting sensitive data. Many recent data-breach cases could have either be completely avoided or exponentially limited in damage had there been proper data encryption in place.

 

Want more information or have questions regarding 23 NYCRR Part 500? Join CompCiti on Thursday, March 21, 2019 for a 30-minute webinar on “NYCRR – A Cybersecurity Regulation You Must Comply!” Click Here to Save a Seat!