If you take a step back and really boil down 23 NYCRR 500, it would be fair to say that the primary requirement is to develop a Cybersecurity Program to protect unauthorized access of Nonpublic Information (NPI). Yes, there are more detailed requirements than that, which we’ve covered in previous blog posts, but the ultimate result of compliance with 23 NYCRR 500 should look like a mature Cybersecurity Program.
Not only are Covered Entity’s required to maintain a cybersecurity program, but “the cybersecurity program shall be based on the Covered Entity’s Risk Assessment…” I think we all understand the concept of ‘risk assessment’ in general, so let’s dive into the idea as it relates to 23 NYCRR 500.
The Risk Assessment is introduced in Section 2 but does not get a dedicated explanation until Section 9. And though the Risk Assessment serves as the foundation of the cybersecurity program, how it is to be conducted is not clearly defined or prescribed. Here’s what we do know:
- Section 9 calls for periodic Risk Assessment in order to understand and, in turn, respond to and mitigate threats a Covered Entity faces to the confidentiality, integrity and availability of NPI. This isn’t a one time effort. It must be done on a routine basis.
- The Risk Assessment must be carried out according to documented policies and procedures. This goes back to what we always say, DOCUMENT, DOCUMENT, DOCUMENT. Ad hoc, haphazard, inconsistent attempts at risk assessments aren’t going to fly. Find a standard, lock into it and update it as your business changes over time.
- No decisions should be made on a whim. Section 9 effectively requires a rhyme and reason to your risk assessment. The questions and criteria of your risk assessment need to be based on best practices and relevant standards. The goal here is consistency. If you’re going to accept a risk, you’ll need to be able to explain why. “I didn’t know how to fix it” probably isn’t going to be a good enough reason.
It would be wonderful if 23 NYCRR 500 provided clearer guidance on what independent insurance producers need to do to have a defensible Risk Assessment, but that’s not the reality. What the regulation is clear about is consistency.
You don’t need to spend thousands of dollars to have a consultant come in and conduct a risk assessment, but you might need some outside expertise to even know where to begin your risk assessment process. We have the resources you need, and we’d love to get you started.