This is the third part of a 3-part instructional series from 24By7Security on the New York State Cybersecurity Regulations.
This 3-part instructional series addresses requirements that New York Department of Financial Services (NYDFS) introduced as NY CRR 500 (Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations). There are 23 sections, 15 of which specifically deal with Cybersecurity requirements.
Any entity subject to the Banking, Insurance and/ or Financial Services laws in New York State, is considered a covered entity for the purpose of compliance with NY CRR 500.
Some key definitions that are part of this regulation are:
- Covered entities – are the financial institutions subject to this regulation as they are subject to the Banking, Insurance and/ or Financial Services laws in New York State.
- Third Party service providers - are vendors providing services to Covered Entities that as part of this maintain, process or otherwise access Nonpublic information as part of their work for the Covered Entities.
- Affiliates – are subsidiaries of covered entities.
- Nonpublic Information – is business information of the CE, as well as PII (Personally Identifiable Information) and PHI (Protected Health Information).
There are 5 sections of the regulations that address the various Cybersecurity activities that covered entities should be doing a part of the implementation of this phase. You will see in the PDF available for download in this article, what these sections entail.
Section 500.06 provides regulations on audit trails and retention requirements. Section 500.08 specifies application security requirements to be included in written policies, procedures and guidelines. It also addresses periodic review and revision of these policies and procedures. Section 500.13 talks about disposal of data. Section 500.14(a) discusses the need to monitor user activity and incident detection. Section 500.15 puts down rules related to encryption. Section 500.11, addressing 3rd party service provider security, is due on March 1, 2019. It addresses security controls to be put in place with vendors or 3rd party service providers who access the covered entity’s non-public information.
The New York Cybersecurity Regulations put forth by the Department of Financial Services are a comprehensive set of step-by-step requirements that assist covered entities in setting up and maintaining a strong Cybersecurity posture which is essential in today’s world of constant cyber crime. We hope that you find this blog and our download useful as a guideline to help you get compliant, or even as a checklist to verify your current state. This is Part 3 of an instructional series brought to you by 24By7Security, on compliance with the New York State (NYDFS) Cybersecurity Regulations NY CRR 500, covering items that should be complied with by September 1, 2018 and one section that should be complied with by March 1, 2019.