Cybersecurity regulations must evolve to meet new challenges in a world increasingly reliant on digital technologies. At Delaney Computer Services, Inc. (DCS), part of our core mission is to keep our clients and partners up to date with critical industry developments. Today, we're taking a closer look at the proposed second amendment to 23 NYCRR 500, a New York State regulation impacting financial services companies.
Before diving into the proposed changes, let's quickly revisit the current state of 23 NYCRR 500. It mandates several key requirements, such as:
Notice of Cybersecurity Events: Entities must notify the superintendent within 72 hours of determining that a cybersecurity event has occurred. This relates to events requiring notification to a government body or supervisory body, or events that could materially harm the entity's normal operation(s).
Annual Submission: Entities must submit an annual written statement by April 15th, certifying compliance with the regulation's requirements. All records, schedules, and data supporting this certificate must be maintained for a period of five years for examination by the department.
Now, let's explore the notable changes proposed in the draft amendment to 23 NYCRR 500:
Class A Companies: This new category defines entities with at least $20 million in gross annual revenue in each of the last two fiscal years from business operations in NY, and either more than 2,000 employees or over $1 billion in gross annual revenue averaged over the last three fiscal years. These companies are subject to additional requirements, such as conducting independent audits and risk assessments annually.
Increased Cybersecurity Governance: The proposal includes more frequent board reporting and a requirement for demonstrated cybersecurity expertise on the Board. It also defines stringent and time-bound notification requirements for data breaches and other cybersecurity events.
Expanded Security Safeguards: The draft amendment proposes a new or increased scope for security safeguards, including penetration testing, email and web filtering, encryption, and multi-factor authentication.
Authority of CISO: The proposed changes emphasize that the Chief Information Security Officer (CISO) should maintain adequate authority to manage cybersecurity risks effectively.
Business Continuity and Disaster Recovery Plan: The draft amendment suggests that covered entities should maintain and test a plan designed to ensure the availability and functionality of the entity’s services in the event of an emergency or disruption of normal business activities.
It's important to note that these are proposed changes and are not yet in effect. However, as technology advances and cyber threats become more complex, businesses must stay informed and ready to adapt. Here at DCS, we understand the implications of these proposed changes and are committed to guiding our clients through their potential impact with confidence and clarity.
As your technology partner, DCS is prepared to support you through these changes and ensure your business continues to thrive in the digital age. I trust that this message finds you all doing exceptionally well.