What is Data Retention?

The company I worked for previously is a world leader in data retention. The cornerstone of their business is helping companies conduct thorough data inventories to identify what sensitive and regulated data they process. From there, they help clients determine what information needs to be deleted, destroyed or purged – they help companies stand up…

What is Multi-Factor Authentication?

Under the 23 NYCRR 500, each Covered Entity must implement “effective controls” based on its Risk Assessment to protect against unauthorized access to Nonpublic Information. This is a rather imprecise call-to-action on its own, but NY DFS provides further clarity as to its expectations. Specifically, the implication is that multi-factor authentication is expected. So, what…

What is a CISO?

Section 4 of 23 NYCRR 500 requires covered entities to “designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The regulation refers to this individual as a Chief Information Security Officer, or CISO for short. This requirement may seem burdensome for a small company like…

Am I Exempt from New York’s Cybersecurity Regulation?

“I’m a small agency, so the New York regulation doesn’t apply to me, right?” This is perhaps the most common question, or rather misunderstanding, related to the New York Department of Financial Services cybersecurity regulation. At a recent conference in the northeast, we heard “I only have four employees” or “I only do about $1M…