23 NYCRR Part 500 became effective on March 1, 2017. The New York Department of Financial Services (NYDFS) requires banks, insurers and other financial services companies to set up a cybersecurity program aimed at protecting consumer information from being compromised or stolen.
The impact of the regulation is much broader than just New York State as it applies to any organization with a presence in New York and may even extend beyond financial service companies depending on the data collected and with whom the organization works.
To comply with this regulation, each company must assess its own risk profile and design a program that addresses this risk posture. Senior management must take this regulation seriously and annually file certification confirming compliance. If you have not already, do the following 5 things immediately:
1. Assign a Chief Information Security Officer (CISO)
2. File an annual certification confirming compliance with 23 NYCRR Part 500 regulations
3. Conduct regular assessments including penetration testing and vulnerability assessments
4. Deploy key technologies including encryption and data classification
5. Have a process that allows you to report within 72 hours any cybersecurity event
To learn more about how to comply, read our whitepaper that explains how Spirion software helps find sensitive data and then lets you classify and manage that data to reduce your risk posture: How Spirion Helps Comply with 23 NYCRR 500.