Perhaps the least appreciated part of a cybersecurity program is the use of administrative controls. These safeguards are more “process-oriented” than the more tangible controls that we’ve discussed in previous posts like physical and technical protections. As a result, administrative controls are often put on the backburner. But they are fundamentally important and, in fact,…
Technical controls are what most people think of when the word “cybersecurity” comes to mind: encryption, multi-factor authentication, anti-virus software and other slick tools to protect information. While sound cybersecurity extends well beyond these kinds of safeguards, having strong technology inplay to protect data is important. What most small insurance businesses fail to realize is…
As an independent insurance business, you’re on the hook to implement a cybersecurity program. Unfortunately, the laws and regulations in place don’t provide much guidance on the actual, real-life controls that are required as part of said cybersecurity program. A cybersecurity program is made up of three types of controls: physical, technical and…
23 NYCRR 500 requires Covered Entities to implement a Third Party Service Provider Security Policy in Section 11. In reality, there is more to the requirement than simply crafting a policy. There are several other requirements Covered Entities must contend with in relation to Third Party Service Providers: Identification and initial risk assessment of third…
Section 14 of 23 NYCRR500 is broken into two seemingly unrelated sections – training and monitoring. Section 14(a) focuses on monitoring requirements and Section 14(b) focuses on training requirements. Section 14(a) is anything but prescriptive and essentially requires Covered Entities to implement policies, procedures and controls to monitor their network activity to detect unauthorized access…
If you take a step back and really boil down 23 NYCRR 500, it would be fair to say that the primary requirement is to develop a Cybersecurity Program to protect unauthorized access of Nonpublic Information (NPI). Yes, there are more detailed requirements than that, which we’ve covered in previous blog posts, but the ultimate…
I’ve spent a great deal of time digging into cybersecurity policies over the years. I’ve seen the good, the bad and the ugly. In fact, back in the day, my first job out of college involved helping one of the largest banks in the United States develop its very first Cybersecurity Policy and Incident Response…
It is sometimes said – usually by nerdy Information Security people – that there are two types of companies: those that know that they have had a data breach and those that don’t know that they have had a data breach. It is therefore critical to have a plan in place for the day you…
You can spend hours reading 23 NYCRR 500 trying to understand every nuance and intricacy of the requirement. Let me make your life easier and simplify it – you need a cybersecurity program. Ok, maybe that’s oversimplifying it, but not by much. Section 2 of the regulation provides the first tangible requirement Covered Entities must…
The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up…