Defining, achieving, 和 maintaining compliance with 23 NYCRR Part 500
The NYDFS Cybersecurity Regulation requires New York insurance companies, 银行, 和 other regulated financial services institutions—including agencies 和 branches of non-US 银行 licensed in the state of New York—to assess their 网络安全 risk 配置文件. The NYDFS Cybersecurity regulation is designed to protect consumers 和 to “ensure the safety 和 soundness of the institution,” as well as New York 状态’s financial services industry.
The regulation went into effect on 2017年3月1日, with implementation to occur within 180 days (August 28, 2017); it affects entities regulated by the New York Department of Financial 服务 (DFS). Covered entities must also implement 和 maintain a comprehensive 网络安全 program in accordance with a specific compliance timeline.
If you have less than four minutes, learn about NYDFS Cybersecurity Regulations in this video:
The NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) in response to the growing sophistication of cybercriminals 和 the increasingly volatile 网络安全 climate facing US financial institutions. The goal of the regulation is to ensure the safeguarding of sensitive customer data 和 to promote the integrity of the information technology systems of regulated entities.
The regulation requires supervised entities to assess their 网络安全 risk 配置文件s 和 implement a comprehensive plan that recognizes 和 mitigates that risk. Certain regulatory minimum st和ards have been set to assist organizations in preventing data breaches, 包括:
You might already be familiar with the original regulation rules that were proposed, but it’s important to note that the final regulation includes some important changes, 包括:
The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial 服务. 这包括:
The regulation provides an exemption for organizations with:
The clock started ticking when the NYDFS Cybersecurity Regulation 23 NYCRR Part 500 took effect on 2017年3月1日. There are multiple milestones 和 deadlines to hit in the first year alone, 和 organizations looking to become compliant will need to pay close attention to the calendar.
Covered Entities are required to be in compliance with certain parts of the regulation as soon as August 28, 2017, 和 must file their first 认证 of 合规 with the NYDFS superintendent’s office by February 15, 2018.
Important steps in achieving compliance are outlined according to the deadlines below.
2017年3月1日 – 有效的 date of final 23 NYCRR Part 500. August 28, 2017 – 180-day mark: Regulated entities must be in compliance with 23 NYCRR Part 500 unless otherwise noted.
To achieve 和 maintain compliance, by this date a Covered Entity must:
February 15, 2018 – Covered Entities must submit their first 认证 of 合规 under 23 NYCRR 500.17(b) on or before this date. 2018年3月1日 – One-year mark. To maintain compliance, by this date organizations must:
September 3, 2018 – 1.5年马克. By this date, Covered Entities must prove they’ve:
Achieving 和 maintaining 网络安全 compliance is a complex process, but it doesn’t have to be a difficult or stressful one. There are resources available to help you take a proactive, data-driven approach to comprehensive 网络安全 that can help bring your organization into full compliance to protect your business’s valuable data 和 safeguard your customer’s sensitive information.