On March 1, 2017, New York issued the 23 NYCRR Part 500 guideline, a regulation that demands financial firms to execute a thorough framework to better safeguard the data privacy of their consumers. This is pretty identical to PCI DSS, which also outlays how retailers must display that they’ve taken proper care to prevent data infringements by following specific procedures, installing & maintaining equipment, and reporting.
The 23 NYCRR Part 500 regulation is applicable to any registered companies to measure their cybersecurity risk profiles and execute a thorough plan that identifies and lessens that risk. To help corporations in preventing data beaches certain regulatory minimum standards have been set, including:
-
- Risk based minimum standards for information technology systems, including data protection & encryption, access controls, and penetration testing.
-
- Requirements that a program is sufficiently funded, supervised by a CISO, and executed by qualified cybersecurity staff.
- Active incident response plans that encompass preserving data in order to respond to data breaches including notice inside 72 hours to the New York State Department of Financial Services.
-
- Liability given by identification & documentation of insufficiencies, remediation plans, and certifications of compliance on a yearly basis.
-
- Audit trails designed to detect & respond to cybersecurity events.
-
- Annual reports covering the risks encountered, all material events, and the impact on protected data.
What kind of organizations must comply with The 23 NYCRR Part 500 regulation?
The 23 NYCRR Part 500 regulation covers any companies that’s regulated by the New York State Department of Financial Services.
-
- Insurance companies doing business in NY
-
- Non-U.S. banks licensed to operate in NY
-
- Trust companies
-
- Service contract providers
-
- Private bankers
-
- Mortgage companies
-
- Licensed lenders
-
- State-chartered banks
How does a business comply with The 23 NYCRR Part 500 regulation?
To achieve & maintain compliance, a covered company must:
-
- Set up an effective cybersecurity program
-
- Create & maintain a written cybersecurity policy
-
- Assign a CISO (Chief Information Security Officer)
-
- Appoint competent cybersecurity staff or use third party providers
-
- Set up an incident response plan
-
- Submit notification of incidents to the New York State Department of Financial Services inside 72 hours.
CompCiti, a New York based cybersecurity and IT service provider is aware of the difficulties organizations face to become and stay compliant with data privacy regulations. CompCiti offers services tailored to help organizations comply with regulations and follow security best practices. CompCiti provides compliances services for 23 NYCRR 500.
Disclaimer: This content is created and provided by a third-party online content writer on behalf of Compciti, and is for commercial purposes only. Compciti does not take any responsibility for the accuracy of this content.