Great news for all of the independent insurance agencies out there with limited exemptions under Reg 500 – managing application security as defined under 23 NYCRR 500 does not apply to you! You are off the hook but it may still be beneficial to understand the concept for the overall maturity of your cybersecurity program.
Application security is the process of building strong cybersecurity into applications (i.e., software, apps, etc.) that you develop or acquire. So, if you have a software development team coding away all day, this is something you need to consider. Or, if you leverage external applications to run your business, you’ll need to evaluate the provider’s application security practices.
Section 8 of 23 NYCRR 500 addresses application security and does so at a very high level. If this requirement applies, you are required to implement written procedures, guidelines and standards to ensure that secure development practices are in place. These documents must also account for the evaluation, assessment and testing of applications that are developed externally.
Most sophisticated organizations adopt a formal process, such as the Spiral, Agile or Waterfall methodologies, to provide a framework for how software development will be conducted. This way, changes or enhancements to an application cannot be made without thoughtful deliberation and consideration of the cybersecurity ramifications.
There are many reliable resources and best practices available to help you make a good decision for your business. Don’t take this requirement lightly if it applies; unsecure coding is a major security vulnerability and is all too common today.
Be sure that nothing is done ad hoc and that you have the documented procedures, guidelines and standards for facilitating your software development process in a way that manages cybersecurity considerations.