New York State has led the nation in releasing its 23 NYCRR 500 cybersecurity regulation for financial institutions. This article is aimed mostly at those institutions, to give them guidance around what can be expected of them around this regulation, but its adoption has consequences for all states as it’s likely this will be expanded nationally in the US. First, let’s clear up the fact that this legislation is a good thing. It will add more regulatory overhead in the short term but it sends a message that companies are simply not going far enough in their cybersecurity strategy. Installing a firewall and paying for network monitoring are not enough. A proper cyber defensive strategy includes people, process and technology with continuous improvement. This regulation mandates that these things are now done at a deep level, and driven by someone that has cybersecurity experience, i.e. a CISO. Even better, the regulators have understood that these roles may be hard to fill internally and they have made a provision that all aspects of the program can be outsourced, a boon to consulting companies and experienced vCISO companies. The high-level requirements are listed below:
Financial Institutions have the following deadlines to comply with this regulation:
As always, it’s best not to wait until the last minute to get these controls in place. Firms are encouraged to approach this proactively, which will also be easier on budgets when spread over the deadlines provided.