The road towards public health and safety is lined with many instances of what in retrospect seem like common sense measures that may leave some scratching their head as to why regulation was needed in the first place. Seat belts in cars, smoke detectors in houses, and lead in gas and house paint are just a few examples where an undeniable threat was reduced or eliminated by way of government-issued requirements that ensured and accelerated compliance to indisputable health hazards.
In today’s age of information, we are at a similar point with cybercrime. With the ever-growing frequency and sophistication of cyberattacks, the threat to sensitive personal data is irrefutable. Any reasonable company that wants to stay in business should be taking measures to guard against a data breach, and to prepare for responding to and recovering from a cyber-incident.
Once again though, governing bodies are stepping up. To make certain that insurance companies, banks, and other regulated financial services institutions are doing what is necessary to “ensure the safety and soundness of the institution and protect its customers,”1 the NYDFS (New York Dept of Financial Services) issued Cybersecurity Regulation 23 NYCRR Part 500 in recognition of the volatile cybersecurity climate facing US financial institutions.
Any organization doing business in New York state that is regulated by the Department of Financial Services must comply to the new regulation. The crux of the regulation is about developing a robust risk-based program that protects the confidentiality, integrity, and availability of non-public data. A review of 23 NYCRR Part 500 shows that companies are now required to document and enforce policy and procedures that include:
- Conducting risk assessments of your information systems to categorize threats, assess existing risk controls, and identify how it will be mitigated.
- Establishing a database of hardware, software and information systems inventory.
- Performing business impact analysis assessments of how the loss or short-term unavailability of data might affect operations.
- Building and maintaining plans that address business continuity and disaster recovery.
- Testing exercises for data backup, recovery and contingency procedures.
- Managing incidents for the prompt response to and recovery from any cybersecurity event.
- Lessons learned reporting that documents the investigation, mitigation and resolution of incidents.
- Managing vendors and third-party service providers that are permitted access to a company’s non-public information.
Much of what the regulation is requiring is already considered best-practice among business continuity and disaster recovery professionals, but many BCM program owners struggle to fully implement adequate programs due to lack of executive buy-in. This is where 23 NYCRR Part 500 blazes a trail for the future of resiliency.
New York State’s regulation requires the appointment of Chief Information Security Officer (CISO) to oversee and enforce the program. The CISO is required to report on an annual basis to the board of directors or a senior officer as to the integrity and security of information systems, the overall effectiveness of the program, and findings for any cybersecurity events that occurred.
Furthermore, a chairperson of the board or a senior officer must annually sign a certification attesting that they have “reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors”2 and that the cybersecurity program complies with the regulation. And according to PwC, if the program is found to be non-compliant, the executive attesting could be held liable.3
Compliance to all sections of the regulation is being phased in over a two-year period ending March 1, 2019, with compliance to most of the sections by September 3, 2018. Fortunately, if you are a company regulated by the NYDFS, and you are challenged by resources, budget, or expertise to comply with 23 NYCRR Part 500, Assurance Software can help.
With over 30 years of industry-leading experience, Assurance helps companies develop and manage successful business continuity programs with our collaborative, secure BC/DR SaaS solution software and our expert services. To help ensure you’re ready to satisfy the new regulations, and more importantly, that you’re prepared to prevent and mitigate the risk of a cybersecurity breach, reach out to a certified business continuity expert at 800-478-7645 to get started.
Written by Ted Marquardt
Ted is in Product Marketing for Assurance. With over two decades of experience in Software Development, he appreciates the daily challenges customers face and the need for solutions to get the job done. Along with the rest of the Product and Sales teams, Ted strives to understand the concerns of BC/DR professionals and articulate how Assurance services and solutions can help solve them. In his free time, you'll find Ted trying to keep up with his busy kids, while squeezing in some time for walking the dog and playing guitar.