The regulatory environment in cybersecurity continues to evolve. It’s clear the direction is towards a more aggressive regulatory environment. An interesting theme with recent cybersecurity regulations is the far-reaching impact they’re having in terms of organizations impacted.
For example, the European Union’s (EU) General Data Protection Regulation (GDPR) is having far-reaching impacts beyond the EU impacting any company doing business in Europe. Another regulation that has broad reaching impacts is the New York Department of Financial Services (NYDFS) Cybersecurity regulation officially referred to as 23 NYCRR 500.
In this blog, we will take a high-level look at this regulation, what we find interesting about it, and how using a Threat Intelligence Gateway can help organizations comply with this regulation.
High Level Requirements of 23 NYCRR 500
The NYDFS defines this regulation as “certain minimum regulatory standards” for cybersecurity considering the economic and business risk this poses to financial services firms operating in New York and the state’s economy given the critical nature of this industry to the state.
The high-level requirements include:
Interesting Aspects of 23 NYCRR 500
There are many components to the 23 NYCRR 500 regulation but these were what we found to be most interesting.
Broad Reaching Geographic & Vertical Impacts
Like GDPR, the NYDFS Cybersecurity regulation has far reaching impacts. The regulation defines Covered Entities as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
If you are an out of state or foreign company and you do business in New York, you are likely subject to this regulation. The regulation also spans banks, insurance companies, mortgage brokers but also impacts healthcare maintenance organizations (HMOs) and Continuing Care Retirement Communities because they are regulated under New York Insurance Law.
The Regulation is Mandatory
23 NYCRR 500 is a mandatory regulation and we believe the first mandatory state regulation in cybersecurity. Covered entities are required to file an annual compliance certification confirming compliance with the regulation. What’s unclear currently is what the penalties for non-compliance are.
Non-public Information Must Be Encrypted
With many cybersecurity regulations, data protection is focused on personally identifiable information (PII). However, 23 NYCRR 500 takes a broader view with the requirement that all non-public information be encrypted. This is interesting but not surprising given that regulations around non-public information has been a longstanding area of regulatory focus in the financial services industry (“Blue Horseshoe loves Anacott Steel”).
Companies Must Designate a CISO
This is the first regulation we can recall that requires an organization to designate a CISO. The regulation enables a high degree of flexibility allowing organizations to outsource this to a third-party.
How a Threat Intelligence Gateway Can Help Organizations Comply with 23 NYCRR 500
A Threat Intelligence Gateway (TIG) can help organizations comply with multiple elements of the Develop a Cybersecurity Program requirement. Specifically:
The cybersecurity regulatory landscape is likely to become more intense and more stringent over the coming years. Over the course of this year, it’s becoming apparent that more recent regulations like the EU’s GDPR and New York’s 23 NYCRR 500 are having broader ramifications in terms of the impact on organizations. As we’ve seen with standards like the NIST Cybersecurity Framework, we think that consuming and using TI can not only help to achieve compliance with these regulations and frameworks, but we also expect the use of TI and information sharing to become a more critical requirement.