23 NYCRR 500 requires Covered Entities to implement a Third Party Service Provider Security Policy in Section 11. In reality, there is more to the requirement than simply crafting a policy. There are several other requirements Covered Entities must contend with in relation to Third Party Service Providers: Identification and initial risk assessment of third…
Section 14 of 23 NYCRR500 is broken into two seemingly unrelated sections – training and monitoring. Section 14(a) focuses on monitoring requirements and Section 14(b) focuses on training requirements. Section 14(a) is anything but prescriptive and essentially requires Covered Entities to implement policies, procedures and controls to monitor their network activity to detect unauthorized access…
If you take a step back and really boil down 23 NYCRR 500, it would be fair to say that the primary requirement is to develop a Cybersecurity Program to protect unauthorized access of Nonpublic Information (NPI). Yes, there are more detailed requirements than that, which we’ve covered in previous blog posts, but the ultimate…
I’ve spent a great deal of time digging into cybersecurity policies over the years. I’ve seen the good, the bad and the ugly. In fact, back in the day, my first job out of college involved helping one of the largest banks in the United States develop its very first Cybersecurity Policy and Incident Response…
It is sometimes said – usually by nerdy Information Security people – that there are two types of companies: those that know that they have had a data breach and those that don’t know that they have had a data breach. It is therefore critical to have a plan in place for the day you…
You can spend hours reading 23 NYCRR 500 trying to understand every nuance and intricacy of the requirement. Let me make your life easier and simplify it – you need a cybersecurity program. Ok, maybe that’s oversimplifying it, but not by much. Section 2 of the regulation provides the first tangible requirement Covered Entities must…
The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up…
In Reg 500 (23 NYCRR 500), the New York Department of Financial Services mandates the use of encryption as a means of providing adequate protection of Nonpublic Information. A library of books could be written on the topic of encryption – the mathematics and algorithms, the history of cryptography, etc. For some people, this is…
Under the 23 NYCRR 500, each Covered Entity must implement “effective controls” based on its Risk Assessment to protect against unauthorized access to Nonpublic Information. This is a rather imprecise call-to-action on its own, but NY DFS provides further clarity as to its expectations. Specifically, the implication is that multi-factor authentication is expected. So, what…
Section 4 of 23 NYCRR 500 requires covered entities to “designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The regulation refers to this individual as a Chief Information Security Officer, or CISO for short. This requirement may seem burdensome for a small company like…