Equifax Breach Begs the Question: Are You In Compliance with 23 NYCRR Part 500?

New York's Cybersecurity Regulation (23 NYCRR Part 500)

 

The NYCRR primarily contains state agency rules and regulations adopted under the State Administrative Procedure Act (SAPA). The 23 Titles include one for each state department, one for miscellaneous agencies and one for the Judiciary. The Office of Court Administration and the Judiciary are exempt from SAPA requirements.

NYCRR Compliance Assessment

Book A No-Obligation DFS Compliance Assessment Session


DOWNLOAD

Protect  Yourself  &  Your  Clients.

Download a brochure now!

 

About  CompCiti

CompCiti Business Solutions, Inc. provides clients what few other IT companies in New York can: expertise and insights developed since business networking began. CompCiti’s focus on cybersecurity and cyber management services set it above other business network services. CompCiti secures networks and other IT systems against all cyber threats including viruses, hackers, and ransomware. Cybersecurity, networking, and managed IT services, all supported by 24/7 emergency service since 1996.

 

Contact CompCiti today for a free needs assessment. We’ll explain to you what you need to do for full DFS compliance and how we can help you every step of the way.

2017. www.compciti.com. All rights reserved.

twitterlinkedin

NYDFS - 23 NYCRR 500 

The requirements outlined by this new regulation include:

  - Appoint Chief Information Security Officer (CISO)

  - Establish a cybersecurity program
  - Implement and maintain a written cybersecurity policy
  - Annual penetration tests and Bi-annual vulnerability assessments
  - Evaluate, assess, and test security of in-house and external technology applications
  - Conduct a periodic risk assessment
  - Ensure cybersecurity personnel are properly trained and qualified
  - Establish policies and procedures to protect nonpublic information held by third party service providers
  - Implement multi-factor or risk-based authentication
  - Ensure secure disposal on a periodic basis of any nonpublic information
  - Monitor and train all firm personnel
  - Encryption of nonpublic information
  - Establish a written incident response plan
  - Notify the superintendent regarding any cybersecurity event within 72 hours

Who Is Affected?

The NYDFS Cybersecurity Regulation covers any organization operating in the state of New York under authorization of the Banking Law, the Insurance Law, or the Financial Services law. 

This includes:

 

  -  Licensed lenders

  -  State-chartered banks
  -  Trust companies
  -  Service contract providers
  -  Private bankers
  -  Mortgage companies
  -  Insurance companies doing business in New York
  -  Non-U.S. banks licensed to operate in New York

A Covered Entity is exempt from certain provisions of the regulations if it has:

 

  -  Fewer than 10 employees
  -  Less than $5 million in gross annual revenue for three years, or
  -  Less than $10 million in year-end total assets

 

Certain entities that do not handle classes of nonpublic information are also exempt from certain provisions. 23 NYCRR 500.19(c) and (d).

If an entity qualifies for one of the exemptions, it must file a Notice of Exemption within 30 days of the determination of the exemptions 23 NYCRR 500.19(e).

 

Who Is Exempted ?

The NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) in response to the growing sophistication of cybercriminals and the increasingly volatile cybersecurity climate facing US financial institutions. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.

 

The regulation went into effect on March 1, 2017, with implementation to occur within 180 days (August 28, 2017); it affects entities regulated by the New York Department of Financial Services (DFS).

What  is  the  NYCRR  Cybersecurity  Regulation?

How  CompCiti  Can  Help?

According to the new cyber security NYDFS regulations, it is mandatory for all covered entities to implement and file the regulations by August 28th, 2017. Those who are not compliant by this deadline will be penalized. The Compliance Experts at CompCiti will not only ensure that you are compliant, but will help you to implement a more effective, long-term cyber security protocol in the process.

Click Here To Read The Full Regulation