Background and Purpose
Who is this for? This playbook is for any financial services companies that do business in the State of New York, including those that are based in New York, as well as those that reside outside.
Anyone who does not fit that description need not heed this particular playbook’s sprint plan or adhere to the 23 NYCRR 500 regulation, but we believe the approach and methodologies outlined are still of use for compliance against other states’ regulation requirements and for sustaining any mature cybersecurity culture.
How does this help? This cybersecurity regulation is not for the faint of heart. Impact Makers’ cybersecurity experts (Governance, Risk, and Compliance team) has collaborated to break down the morass of legalese into actionable sprints that ensure compliance as well as lay the foundation for a mature cybersecurity culture.
This playbook also includes a compilation of useful logistical info so that readers will not have to expend redundant capacity in meeting the regulation standards, and can focus their time and energy on their cybersecurity needs.
What is the regulation? The New York Cybersecurity Rule (23 NYCRR 500) (also known as the “Cybersecurity Requirements for Financial Services Companies”) was introduced by the New York State Department of Financial Services (NYDFS) in 2016, passed in the first quarter of 2017, and took effect March 1, 2017.
This regulation will be enforced by the NYDFS and affects all covered entities including Financial Services, and Health, Life and Property Insurers. The Regulation is designed to comply with State and Federal standards and its purpose is to promote the protection of customer information as well as the information technology systems of regulated entities.
Highlights of the regulation include:
• The Regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.
• Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.
• NYDFS defines a Covered Entity as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
The purpose of this Playbook is to provide a basis and guidance for compliance with the NYCRR 500 Cybersecurity regulation for covered entities who are regulated by the NYDFS.
Many organizations will find they have a substantial part of the regulatory requirements already in place and merely need to take inventory and report their compliance to the NYDFS. This playbook will help covered entities review and ensure their cybersecurity program is current, conforms to the regulation, and satisfies the regulation as required.
The approach for the cybersecurity framework proposed in this playbook is based on the NIST cybersecurity framework (version 1.0) as we believe it is likely that this framework will eventually be the basis for many of the federally mandated cybersecurity regulations and compliance programs.
Additionally, the NIST cybersecurity framework approach is suggested because it is an effective and measurable way to manage cybersecurity risk across the organization.
