The two-year transitional period of the NYS DFS cybersecurity regulation (23 NYCRR 500) comes to an end this Friday, March the 1st 2019 at which point all ‘covered entities’ must be compliant. So, who does this impact, what is required to be compliant, and how can ActZero help? I’ll detail some specific requirements of the regulation, a few of the exemptions from them, and how our MDR and vCISO services can help your business meet them.
Who does it impact?
Any entity that’s regulated by New York States’ banking, insurance, or financial services laws that hasn’t been issued an exemption. However, like GDPR, such an entity can be based outside of New York State and still be required to comply if that entity is doing business there. Note that having a parent or subsidiary who is compliant may not be enough, depending on how data and security systems are leveraged across these distinct business entities.
What are the exemptions?
Several criteria can exempt an entity from specific requirements of the regulation (not all of it). That said, in most cases, the entity is still required to have a cybersecurity policy and program, along with many other requirements (see the NY DFS website’s exemptions section for the full list). The exemptions mainly have to do with the size of the business in question, as measured by the number of employees, revenue, or total year-end assets. Some others have to do with the entity not controlling information systems at all (pretty rare in our increasingly data-driven society), or other particular cases.
What is the impact?
The regulation includes stipulations about your security measures, designed to protect the privacy of New Yorkers. Examples of these include a cybersecurity program and written policy based on a risk assessment; designation of a CISO (yes, a Virtual CISO with ActZero does meet this requirement); a written incident response plan; cybersecurity personnel and intelligence; specific stipulations on Access Privileges; Limitations on Data Retention. A laundry list of requirements that will take an expert to assess and implement for you.
Ultimately, as with most privacy-driven regulations these days, the stipulation of disclosing data breaches can have some of the highest potential impacts upon businesses. While the amount of time to disclose, and who the breach is being disclosed to, changes depending on the specific regulation, the common thread is that if sensitive/personal information is accessed, manipulated or deleted, the entity must disclose that this has happened to the people whose data was affected.
How can ActZero help?
ActZero can help with specific requirements of the regulation in different ways, through our MDR and vCISO services. At a high level, the MDR service helps as a critical component of your cybersecurity program (as required by the regulation generally, and specific requirements mentioned above). Really, the main impact for businesses under privacy regulations like this (and CCPA, GDPR, PIPEDA) is mandatory breach reporting; you must disclose when your organization is breached, and what the impact to your clients/partners/”residents of New York” is. ActZero MDR can help by identifying threats and vulnerabilities BEFORE they become breaches. We can also help in the event of a breach, mitigating the damage, and providing forensic information to assist you with the disclosure should you require one.
The second way is through our vCISO service (we talk about it more here). Not only does this help your business meet a specific requirement of the regulation (500.04) that stipulates your organization must have a CISO, but you can engage our vCISOs to help address many of the other requirements: writing your cybersecurity policy; writing your incident response plan; reporting on your cybersecurity posture.
Note that New York isn’t the only US state putting through privacy/cybersecurity laws and that many of them (like GDPR in the EU) are ‘far-reaching’ in that it is not just businesses based in those states, but businesses doing business in those states. See a comprehensive list here. Of course, if you’re doing business in Ontario, you can review our advice on PIPEDA here, and how we help address their tips here. Many of these laws are closely aligned to the requirements detailed in GDPR, which we cover here and more recent implications here. And if those aren’t enough for you, you can explore how ActZero can help your organization meet these and other requirements by engaging one of our experts today!
Related Content: Check out our other Regulatory Compliance posts!