You can spend hours reading 23 NYCRR 500 trying to understand every nuance and intricacy of the requirement. Let me make your life easier and simplify it – you need a cybersecurity program.
Ok, maybe that’s oversimplifying it, but not by much. Section 2 of the regulation provides the first tangible requirement Covered Entities must contend with: “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.”
In practice, the way companies go about implementing a cybersecurity program is by establishing policies and procedures that outline the way Nonpublic Information is protected. And while nobody loves regulatory requirements and consequences for noncompliance, 23 NYCRR 500 actually provides a pretty clear outline for what a cybersecurity requirement must include. If you’re not entirely exempt from the requirements of the regulation (go read Section 19 if you’re unsure), your cybersecurity program must at least contain or address the following:
- Cybersecurity Policy – Document that governs expectations for how the company will protect NPI. Required in Section 3.
- Access Privileges – Limits access to NPI to only authorized parties. Required in Section 7.
- Risk Assessment – Evaluates internal cybersecurity risks to NPI and informs policies and procedures. Required in Section 9.
- Third Party Service Provider Security Policy – Document that governs how third-party relationships are managed to ensure protection of NPI. Required in Section 11.
- Limitations on Data Retention – Ensures that NPI is only retained as long as necessary based on legal and business requirements. Required in Section 13.
- Notice to Superintendent – Obligates that cybersecurity events be appropriately communicated to the Superintendent of the New York Department of Financial Services. Required in Section 17.
Other pieces may be necessary to complete your cybersecurity puzzle, but if you do nothing else, start here. The cybersecurity program required in Section 2 is the crux of 23 NYCRR 500 and mandates these components. Over the coming weeks, we’ll dive deeper into each section of 23 NYCRR 500.