N.Y. insurers, banks prepare for February cybersecurity deadline


On Feb. 15, the first of several important milestones in New York’s new cybersecurity regulations, called 23 NYCRR 500, will compel the state’s financial services companies to adopt policies to keep their data safe. The regulations, handed down by the New York State Department of Financial Services, are the first of their kind in the country.

As other states consider the adoption of similar regulations, financial services companies in the rest of the U.S. would do well to follow the roll-out of 23 NYCRR 500 and the ways in which covered entities are working to meet the new requirements. Affected companies include banks, insurers and investment companies licensed by or operating in New York State. 23 NYCRR 500 excludes companies with fewer than 10 employees and contractors, or less than $5 million in New York gross annual revenue, or less than $10 million in year-end assets.

alt textBuilding a plan and a policy

Covered entities will have had 180 days to establish and maintain a written cybersecurity program to protect their information systems. This program should be based on the company’s risk assessment, and should be able to protect sensitive data from breaches or manipulation by bad actors.

Companies must also show a written cybersecurity policy that has been approved by a Senior Officer or Board of Directors, and document procedures for safeguarding information systems along with any stored, sensitive data.

Affected companies should consider how already-existing cybersecurity controls are documented, and whether the policy includes administrative, logical and physical safeguards for data and systems.

New York’s cybersecurity laws also require covered entities to install a Chief Information Security Officer to oversee and implement the program and enforce the policy. If a company does not already have a CISO, it’s worth considering whether the hiring of a new team member is the best way forward. A CISO from an affiliate organization or a third-party service provider would also fulfill this requirement.

Companies that have an affiliate that maintains a cybersecurity program that matches the requirements set forth by 23 NYCRR 500 can adopt that program. Finance leaders also should be aware of the many different guidelines available to frame a cybersecurity program, such as NIST, ISO 27001, COBIT, or COSO.

alt textA compliant cybersecurity program needs qualified personnel to drive it. Like the CISO, these need not be new full-time employees; affiliates or third-party contractors will satisfy New York’s regulations. But no matter where an organization’s cybersecurity team comes from, they must absolutely understand IT infrastructure and basic cybersecurity elements.

These IT professionals also need to be apprised of a company’s access privileges, which are required by 23 NYCRR 500 to limit access to information systems that store non-public information. These privileges should be periodically reviewed and updated.

Blankit Insurance Group is committed to maintaining the most up to date resources for all of our clients and believe that it is part of our duty to help our clients with this information. We have your back long after you purchase a policy from us. We are here to help for the rest of your life.

We at Blankit work hard to make sure that you have the most accurate information from around the country and world. With Blankit, you will always be ahead and never catching up. We work hard to protect what you work hard for. We never take a shortcut and are always thorough with our advice.

alt text

When things go wrong

Finally, companies need a written incident response plan. The best plans are concise and flexible, able to adapt to evolving cyber threats instead of trying to plan for every possibility. One plan tested 100 times is superior to a plan that tries to account for 100 different types of emergencies.

When crafting a response plan, consider the company goals that need to be met. Who will be involved in a data breach? What will their responsibilities be? Who has the authority to make decisions when an incident occurs? How often will the plan be tested?

These requirements are only the beginning of the cybersecurity transformation that will take place in New York’s financial services companies over the next two years. Future milestones will enact guidelines for penetration testing and vulnerability assessments, data retention limits, training, and encryption.

The need for these safeguards has never been clearer. Last year, the IBM X-Force Threat Intelligence Index ranked financial services the top target of data breaches, attacked 65 percent more often than any other industry. New York may well lead the nation with the introduction of these regulations, as it led in 1984 with the country’s first vehicle safety belt laws.


Leave a Comment: