There are just four weeks left until March 1, 2019, the deadline for the final clause of the 23 NYCRR 500 (NYDFS Cybersecurity Regulation): “Third Party Providers: Written Policy and Procedure” (§500.11). The first clauses of the 23 NYCRR 500 took effect on March 1, 2017. All financial services companies that fall under NYDFS supervision are required to meet this regulation by implementing adequate information security measures. 23 NYCRR 500 is considered the first state regulation to address cybersecurity within financial services organizations.
By March 1, 2019, organizations are required to:
- Maintain a cybersecurity program
- Implement and maintain a cybersecurity policy
- Report to the board of directors in writing on the cybersecurity program at least annually
- Limit and periodically review user access privileges
- Use qualified cybersecurity personnel
- Implement written policies and procedures designed to ensure the security of information systems and non-public information
- Establish a written incident response plan designed to ensure prompt response to and recovery from cybersecurity incidents
- Notify the superintendent as promptly as possible, but no later than 72 hours, about a cybersecurity event after discovery
- Submit an annual written statement covering the previous calendar year
How can your organization achieve compliance?
Meeting the NYDFS’s requirements by the deadline set can be challenging for organizations. It is essential to take the right steps now to plan your cybersecurity program and align it with your business objectives.
You can meet your obligations and deadlines with ISO 27001, the international standard outlining the specification for a best-practice ISMS (information security management system). Such a management system is an effective way to meet the Regulation’s requirements, protect and monitor information, and implement continual improvement processes, helping your organization keep up with ever-evolving cyber threats.