I’ve spent a great deal of time digging into cybersecurity policies over the years. I’ve seen the good, the bad and the ugly. In fact, back in the day, my first job out of college involved helping one of the largest banks in the United States develop its very first Cybersecurity Policy and Incident Response…
It is sometimes said – usually by nerdy Information Security people – that there are two types of companies: those that know that they have had a data breach and those that don’t know that they have had a data breach. It is therefore critical to have a plan in place for the day you…
You can spend hours reading 23 NYCRR 500 trying to understand every nuance and intricacy of the requirement. Let me make your life easier and simplify it – you need a cybersecurity program. Ok, maybe that’s oversimplifying it, but not by much. Section 2 of the regulation provides the first tangible requirement Covered Entities must…
The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up…
In Reg 500 (23 NYCRR 500), the New York Department of Financial Services mandates the use of encryption as a means of providing adequate protection of Nonpublic Information. A library of books could be written on the topic of encryption – the mathematics and algorithms, the history of cryptography, etc. For some people, this is…
Under the 23 NYCRR 500, each Covered Entity must implement “effective controls” based on its Risk Assessment to protect against unauthorized access to Nonpublic Information. This is a rather imprecise call-to-action on its own, but NY DFS provides further clarity as to its expectations. Specifically, the implication is that multi-factor authentication is expected. So, what…
Section 4 of 23 NYCRR 500 requires covered entities to “designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The regulation refers to this individual as a Chief Information Security Officer, or CISO for short. This requirement may seem burdensome for a small company like…
“I’m a small agency, so the New York regulation doesn’t apply to me, right?” This is perhaps the most common question, or rather misunderstanding, related to the New York Department of Financial Services cybersecurity regulation. At a recent conference in the northeast, we heard “I only have four employees” or “I only do about $1M…
Managing who has access (and who doesn’t have access) to Nonpublic Information is key to a strong cybersecurity program and to compliance with 23 NYCRR 500. Small companies and independent insurance producers, listen up. This is for you, too. Managing user access to sensitive information is a cornerstone of cybersecurity. So you might be a…
Great news for all of the independent insurance agencies out there with limited exemptions under Reg 500 – managing application security as defined under 23 NYCRR 500 does not apply to you! You are off the hook but it may still be beneficial to understand the concept for the overall maturity of your cybersecurity program.…