The Last Deadline Has Passed for 23 NYCRR 500 Cybersecurity Compliance

The Last Deadline Has Passed for 23 NYCRR 500 Cybersecurity Compliance

The two-year transition period under New York’s new cybersecurity regulation ended March 1. Here’s an update and where companies should be now in terms of compliance.

Businesses are waking up to the danger they’re facing online. Spending on information cybersecurity is expected to exceed $124 billion this year; a figure which has been increasing annually to combat the escalating threat and crippling costs of a data breach.

The average cost of a cyberattack now exceeds $1 million, with worldwide cybercrime damage expected to cost $6 trillion by 2021. Gartner researchers listed adherence to changing regulations as a prime driver of the increase in cybersecurity spending.

For New York financial companies, the most pressing regulation is 23 NYCRR 500 which details numerous security requirements for qualifying organizations such as appointing a Chief Information Security Officer (CISO) and assessing internal/external security risks via asset, identity, and device management.

23 NYCRR 500 then and now

Steps toward compliance began in 2017, affecting entities operating in New York state and regulated by the Department of Financial Services – as well as third-parties who interface with these companies – including:

  • Private bankers and state-chartered banks
  • Insurance companies doing business in New York and non-U.S. banks that conduct business in New York
  • Mortgage companies and trust companies
  • Licensed Lenders
  • Service contract providers

March 1, 2019, marked the two-year deadline for compliance. By this date, all non-exempt businesses (exemptions are defined in FAQ 4) were expected to have their cybersecurity procedures and policy finalized, access controls diligently established, and all third-party services and risks fully assessed.

March’s policy compliance placed a focus on the threat posed by third-parties connected to a business; a threat we also detailed in our previous blog. Cybersecurity requirements by this March included:

(1) the identification and risk assessment of Third Party Service Providers; (2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and (4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

(b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing:

(1) the Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required to limit access to relevant Information Systems and Non-public Information.

(2) the Third-Party Service Provider’s policies and procedures for use of encryption to protect Non-public Information in transit and at rest.

(3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Non-public Information being held by the Third-Party Service Provider.

(4) representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Non-public Information.

(c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third-Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part.

Moving forward, all new and existing businesses will be expected to comply by annually providing a CISO cybersecurity report to the board of directors and a certification letter to the New York Department of Financial Services (NYDFS), and by having performed a risk assessment and penetration test. The NYDFS published this list of terms and requirements to clarify the steps.

This is New York’s current stance on cybersecurity, and the standard all relevant entities should have met by now. The next question: Has your business obeyed the regulation, and what will it cost if it hasn’t?

The cost of non-compliance

The NYDFS has yet to publish figures on how much non-compliance will cost in fines. Ultimately, it’s a less important number than the one associated with a successful cyberattack. The high cost of a data breach should be enough to spur any organization which cares about its bottom line and reputation. Many businesses can recover from fines, whereas many others never bounce back from a cyber-incident.

It’s logical to assume that financial penalties will roll out sooner rather than later. The NYDFS didn’t respond to public suggestions that penalty figures be published, but NY state legal commentators believe future fines will reflect current punishments for breaching the New York Banking Law:

  • Up to $2,500 per day during which a violation continues
  • $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct
  • $75,000 per day in the event of a knowing and willful violation

It’s vital that companies not only comply with regulations but also hire a security partner with the highest standard of service.

Trust Absolute Logic to protect your data

Choosing the wrong cybersecurity provider can be as hazardous as going it alone. An inexperienced or unscrupulous firm could bungle or exploit their position handling privileged data, which makes compliance efforts pointless. It’s also possible for firms to provide incomplete solutions which fail rigorous compliance standards and merely provide a veneer of protection.

Absolute Logic protects our clients across four states and 40 industries, and we provide every service necessary to meet 23 NYCRR 500’s requirements. Our CyberGlass SMM is tailormade to ensure you’re doing all you can to comply and stay safe.

Absolute Logic’s wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.