New York State Cyber Regulation

It’s Bingo Time if You Need to Comply with DFARS Cyber Rules
April 10, 2017
The Challenges to Effective Cyber Risk Transfer
April 25, 2017

New York State Cyber Regulation

As of March 1 2017, companies subject to regulation under the Banking Law, Insurance Law, or Financial Services Law in New York State are required to protect their networks and customer data with strong new safeguards under 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies.

The new requirements will feel familiar to companies doing business with the Federal government or Department of Defense who are subject to DFARS 252.204-7012 and NIST 800-171. Many of the controls are the same including required risk assessments, multi-factor authentication, encryption, and incident response planning and preservation.

Institutions subject to the new minimum cybersecurity standards include state-chartered banks, as well as foreign banks licensed to operate in the state, along with any insurer that does business in New York. Also affected include vendors and third party service providers. If an entity’s data is stored in the cloud, the cloud service provider is subject to the same requirements for protecting data and detecting attacks.

As more regulations related to data protection and cyber risk management are released, it’s important not to get too focused on individual checklists. It’s not unusual for a mid-size business to have to comply with two or more regulations, but remember – risk management, risk transfer, and risk mitigation have been around for a hundred years or more. Tacking the term “cyber” in front of risk doesn’t change the basic principles – understand what you have, the threats and vulnerabilities that would cause a system to fail, and determine how much risk you are willing to accept. Cyber risk is simply a failure of information systems versus a failure of other systems.

To efficiently and effectively comply with any regulation, whether it be Federal Acquisition Requirements, the European General Data Protection Regulation (GDPR), Payment Card Industry (PCI), or 23 NYCRR 500, Sera-Brynn recommends four phases: scoping and risk assessment, protect and detect, document, and report.

If your business is facing compliance with multiple regulations, we can help untangle the rules and map the similarities. Contact us today.