A limited exemption does not equal limited responsibility
As with any new law, confusion has swirled around companies scrambling to understand their responsibilities under 23 NYCRR 500, New York’s “first-in-the-nation” cybersecurity regulations that affect any businesses or organizations that report to the state’s Department of Financial Services (DFS).
The biggest myth out there is that some companies are exempt from complying with the law’s vigorous regulations, which went into effect March 1. While there are some limited exemptions from some of the law’s requirements, any company, anywhere that does business in New York in an industry overseen by DFS must have a cybersecurity program in place that meets the robust new standards.
Small business? You still need to follow at least parts of the law. Headquartered elsewhere? If you do business in New York, the law applies to your company. State-chartered banks, licensed lenders, private bankers, mortgage companies and insurance companies, as well as their third-party service providers? Yes, this means you.
DFS’s groundbreaking set of cybersecurity compliance regulations is a direct response to the rising frequency and sophistication of cyber-attacks in recent years. Although many of the rules were already considered “best practice” in the industry, companies who passed Aug. 28 without meeting the first round of requirements face steep fines and continued vulnerability to a security breach.
Who qualifies for a limited exemption?
Companies had until last month to file for a limited exemption from the new regulations. To qualify, businesses and organizations must meet one or more of the following criteria:
- less than 10 employees located in New York, including independent contractors;
- less than $5 million in gross annual revenue from business operations in New York for each of the last three fiscal years;
- less than $10 million in year-end total assets.
If my business receives a limited exemption, is there anything I must do to comply with the law?
Yes. Companies deemed small enough to escape some of the new law’s more onerous and costly parts must still comply with many of its requirements. Small businesses must still maintain a cybersecurity program, have a written cybersecurity policy, conduct regular risk and vulnerability assessments, limit user access to their information systems that include nonpublic information, have a written security policy in place for third-party service providers, and procedures for getting rid of nonpublic information. They also must promptly report any cybersecurity events. Finally, be aware that companies can lose their limited exemptions if their business no longer meets any the requirements mentioned earlier.
So, what does a limited exemption do for my company?
Businesses who receive limited exemptions are not obligated to follow certain parts of the regulation. These include designating a chief information security officer, encrypting or developing equivalent controls for nonpublic information, creating requirements for training and monitoring, using multi-factor authentication, and writing an incident response plan.
Earlier this year, Forbes deemed cybersecurity “the biggest concern of 2017.” Its prediction proved true last month after a massive security breach at Equifax raised the risk of identity theft for 145.5 million Americans. New York’s new cybersecurity compliance mandates are bold, but they are not impossible for businesses or organizations to achieve. Many of the requirements were already considered to be the gold standard for protecting sensitive data, and they are not too expensive or difficult to put in place. A qualified information technology or technology security company can make these needed changes seamlessly for any business or organization.
Meeting the mandates of 23 NYCRR 500 does more than keep New York businesses in compliance with the law. It allows them to protect against security breaches that can cause enormous hits in revenue and customer confidence, as well as expensive legal action. Going above and beyond to protect sensitive information at a time where frightening data breaches seem to dominate the news also goes a long way toward making any business stand out in the crowded market of the Empire State.
If you need help complying with 23 NYCRR 500 or simply want to make sure your business is protected against a potential cyber breach, CyberGuard 360 can help. Call us at 844-315-9882 or use our contact form for a free consultation.