23 NYCRR 500: How Cyber Legislation Will Impact Enterprises
Author: Sandy Fury, Herjavec Group Consulting Specialist
How many times have you seen a headline in the New York Times saying that a retailer, a medical services provider or bank has been hacked and thousands of people may be affected? Because we are still seeing these stories in the news, it is evident that data breaches have not subsided over the years, even with all our growing cybersecurity knowledge and technological advances. The fact remains – cyber attacks will continue and cyber criminals will find new ways to break into your systems.
Having a robust cyber/information security program in place is a must as it is matter of when, and not if, you will be compromised. Cybersecurity needs to be a required cost of doing business. Having policies and procedures, trained staff, and hardened networks are far from enough to qualify as due diligence anymore. Preparing for breaches and having plans in place supporting response and recovery, both need to become part of daily operations. Security incident response, business continuity, disaster recovery, and so on are not just information security buzzwords. Having and understanding these are truly essential to your organization’s well-being. They need to be in place, tested on a regular basis, constantly reviewed and improved upon.
Many businesses have learned the hard way that it’s not enough to have policy and procedures in place if you don’t test them in real-life situations. Unfortunately, many organizations treat their incident information security, response plans, disaster recovery plans, business continuity, etc. the same way. Print out some boiler plate policy found on the internet to satisfy an auditor, but do no more. There is no room for this laissez-faire attitude in today’s business world if an organization wants to thrive.
“The bottom line is that if an organization isn’t using common sense and isn’t following best security practices, then sooner or later a legislative body is going to step in and regulate it.”
The most recent iteration of cyber legislation comes to us from the state of New York.
The New York State Department of Financial Services (DFS) is implementing cybersecurity requirements for financial service companies. The new requirement is formally known as, Title 23, Part 500, of the New York Codes, Rules and Regulations (NYCRR). Title 23 refers to Financial Services and Part 500 is the Cybersecurity Requirements for those Financial Services Companies. It is more commonly known as 23 NYCRR 500.
To learn more about the 23 NYCRR 500 and how cyber legislation in your region will impact your enterprise, download our full report by filling out the form below:
To learn more about Herjavec Group’s abilities in Security Consulting, Managed Security Services and Incident Response, please contact us.
For immediate media inquiries, contact Erin McLean, SVP Marketing & Communications, at EMcLean@HerjavecGroup.com or 647-826-3115.