Section 4 of 23 NYCRR 500 requires covered entities to “designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The regulation refers to this individual as a Chief Information Security Officer, or CISO for short.
This requirement may seem burdensome for a small company like yours. Well, I have good news and bad news…
The good news is that the CISO does not have to be a full time, or even part time employee. This role can be outsourced to a third party with the experience and capacity to oversee your cybersecurity program. If you go that route, just understand that Section 4 does keep you on the hook for compliance. You cannot shift liability or responsibility to a third party but you can leverage experts to help get your arms around your requirements.
The even better news is that depending on the size of your company, there’s a good chance you’re entirely exempt from this requirement! Refer to Section 19 of the regulation to see what exemptions might apply to determine if you’re required to have a CISO.
Now the bad news… If you are in fact exempt from Section 4, you likely still have some fairly comprehensive requirements under 23 NYCRR 500. Depending on what exemption applies, these may include implementing a Cybersecurity Program, a Cybersecurity Policy, a Third Party Service Provider Security Policy and conducting an annual Risk Assessment among several other potential requirements. If you’re exempt from this requirement and decide to save money by not outsourcing the management of your cybersecurity program, it’s up to you to ensure the requirements of the regulation are reflected in your program.
Are you comfortable writing and implementing a cybersecurity policy? Have you ever created and followed an incident response plan or a data retention schedule?
That’s what Securibly provides – the resources independent insurance agencies need to implement and maintain a defensible cybersecurity program. Click here to learn more about how we can help.