The March 2018 deadline has passed for New York’s Cybersecurity Regulation (23 NYCRR Part 500). By March, businesses are required to be in compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b). This regulation was enacted into law by New York to “promote the protection of customer information as well as the information technology systems.”
Businesses affected (covered entities) include: Any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of the state of New York.
500.04(b) – The Chief Information Security Officer (CISO) of an organization must report, in writing, to the Executive leadership. The report must address the organization’s Cybersecurity policies and procedures, Cybersecurity risks, effectiveness of the Cybersecurity program, and material Cybersecurity events during the reporting period.
500.05 – Organizations must institute ongoing or periodic monitoring to ensure the effectiveness of the Cybersecurity program. This includes periodic Penetration Testing and Vulnerability Scanning.
500.09 – The organization must conduct a formal Risk Assessment, document the results, and document an action plan to mitigate or accept the risks.
500.12 – Multi-Factor Authentication (MFA) must be used for all external access to internal networks and systems which store private data.
500.14(b) – Organizations must provide regular and appropriate Cybersecurity Awareness training for all personnel.