How to make sure you comply with the new NYDFS cybersecurity regulations
Are you ready for 23 NYCRR Part 500? In response to the volume and growing threat of cyber-attacks, the New York State Department of Financial Services (DFS) has finalized a first-in-the-nation cybersecurity regulation. A crucial part of the new regulation is the security incident plan which sets out the guidelines for responding to, and recovering from, a cybersecurity incident.
The new regulation is in response to the increase in cyber criminals seeking to exploit technological vulnerabilities in companies to gain access to sensitive electronic data. Breaches can cause significant financial losses for DFS regulated entities as well as for NY consumers whose private information may be revealed and/or stolen for illicit purposes.
To comply, you should have a well-designed framework with the right solutions in place to reduce your company's risk. Read more about NYCRR Part 500 and what you need to know for the New York cybersecurity regulation on the INVAR blog here.
Certain companies qualify for a limited exemption and you may be exempt if you fall within the criteria. However, there are still certain parts of the regulation that you will need to comply with to keep your company and consumers safe.
Dates for your diary
The regulation became effective on March 1st, 2017. Here are the other key dates for 23 NYCRR Part 500:
|Date||What do you need to do?|
|February 15th, 2018||Covered Entities are required to submit the first certification on or prior to this date.|
|March 1st, 2018||Covered Entities are required to be in compliance with sections: 500.04(b), 500.05, 500.09, 500.12 and 500.14(b).|
|September 3rd, 2018||Covered Entities are required to be in compliance with sections: 500.06, 500.08, 500.13, 500.14(a) and 500.15.|
|March 1st, 2019||Covered Entities are required to be in compliance with the section: 23 NYCRR 500.11.|
Why is a Security Incident Response Plan so important?
Having a response plan in place means that you can effectively and efficiently respond to any security incident that may present itself.
It is worth noting that an incident is not necessarily a disaster. An incident just means that something out of the 'norm' has happened. And by having a plan to follow, a security incident can be dealt with quickly before it causes a major problem.
With a policy or plan in place, your organisation will be clear on what to do and how to do it. A security incident can cause significant panic and uncertainty. But, by having a solid procedure in place, you will not only comply with the law but you will also be safeguarding your customers and your company.
What you need to know for the Security Incident Response Plan and 23 NYCRR Part 500
Covered entities are required by the DFS to establish a written incident response plan as part of the cybersecurity program requirement.
The plan should be designed to respond and recover from any security event that affects the confidentiality, integrity or availability of the covered entity’s information systems. Or the continuing functionality of any aspect of the covered entity’s business or operations.
The DFS has outlined the following areas that the incident response plan should address :
- Internal processes for responding to a cybersecurity event.
- Goals of the incident response plan.
- The definition of clear roles, responsibilities, and levels of decision-making authority.
- External and internal communications and information sharing.
- Identification of any identified weaknesses in Information Systems. The associated controls and remediation requirements.
- Documentation and reporting of any cybersecurity event and related security incident activities.
- The evaluation and revision of the incident response plan following a cybersecurity event.
Do you have a security incident response plan in place? Starting from scratch is a tough task. To make things easier we’ve put together a free Security Incident Plan template that you can download here to make sure you comply with the new regulations.
The template can be customized to suit your organization's needs and will help you to become compliant with 23 NYCRR Part 500.
It’s not too late to ensure compliance. Speak to INVAR today about our NYDFS cybersecurity packages. We have two solutions available, a Do-It-Yourself package and a full-service solution for DFS-regulated companies.