NYDFS Cybersecurity Compliance
Two years into life under the rules mandating cybersecurity compliance (23 NYCRR 500) for the state of New York, the effect of the regulations on more than 100,000 businesses throughout the financial sector is becoming clear.
The NYSDFS regulation states that “covered entities” such as state-chartered banks, licensed lenders, private bankers, mortgage companies, insurance companies, agencies and brokers, financial service providers, and many others, ensure the following cybersecurity measures are accounted for in an annual report:
• Periodic cyber risk assessments
• Timely response to cybersecurity incidents
• Certified evaluation of cybersecurity policies & procedures
• Cybersecurity risk mitigation to reduce negative outcomes
• Cybersecurity audit reports
• Evaluation of third-party risk management
• Biennial cyber vulnerability scanning
• Annual cybersecurity penetration testing
• Written cybersecurity risk management plan, & policy.
• Encryption systems to protect certain types of data
• Commercially reasonable best efforts to secure proactive security of sensitive data
Signs now show that compliance could be leading to complacency, with companies lulled into thinking that the required annual report is a replacement for true and ongoing security. Simply put, remaining in compliance is a far cry from effectively managing cybersecurity risk.
Actual, adequate cyber risk management is as continuous and tireless as the threats you face to your cybersecurity. A proactive approach to mitigating all risks is critical to the health of your business and the safety of your sensitive data.
If complying with NYSDFS isn’t enough,
what should I be doing to protect my business?
If you know you are a covered entity under the DFS rules, you’ve already taken action to comply with the State of New York requirements. And that was the proper first step. However, if you are like most businesses, your bottom-line goal is maximizing EBIT which often means finding the minimum viable solution for non-revenue generating requirements. After all, this keeps the stakeholders happy.
One challenge is staying ahead of the threats to your cybersecurity while keeping costs under control for in-house IT or MSPs that may not even have the expertise to actively go beyond the bare minimum requirements of the law. Unfortunately, this might mean you are self-insuring against the catastrophic risk of loss from a data breach. The facts are:
-
-
Cyber-attackers are not waiting for your annual checkup to launch an attack.
-
-
-
Attacks happen, and data gets compromised. Companies without a “what next” plan will suffer worst.
-
-
-
New vulnerabilities can be introduced to your system daily through actions as innocuous as opening an email or installing an application.
-
If complying with NYSDFS isn’t enough,
what should I be doing to protect my business?
This information is not intended to strike fear any more than saying “touching your face without clean hands is a good way to catch a cold.” It’s just information, but it’s information that the right cybersecurity program can help you make use of.
The key is to partner with a company that can offer a full range of support within a reasonable budget for your company’s size and cybersecurity needs. Assured Enterprises recommends you start with a simple assessment such as our NYS DFS CheckupTM. This will help you quickly understand your compliance posture. From there we can walk you through a reliable package, that addresses your security and compliance needs.
If the state isn’t mandating it,
why should I care?
National voluntary seat belt standards were put in place in 1968. New York didn’t mandate compliance until 1984. Some 500,000 people were lost to motor vehicles accidents nationwide during this time. Sometimes it takes the law a little too long to define the risks which the law seeks to minimize
Let me ask you — can you identify the threat actors you face and separate them into human beings you know from those you don’t?
Understanding and measuring the existence of cyber risk and being able to judge the commercially reasonable, cost-efficient solutions which are most appropriate, is not something anyone instinctively knows how to do. Some lawyers specialize in providing this type of advice. In short, unless your life is one of cybersecurity, you’re not supposed to know exactly what to worry about and how to address your needs – and that’s okay.
When we approach threat analysis, we focus on threat actors ranging from nation states to insiders to hacktivists and many more—studying and updating their agendas, techniques and execution strategies.
At the end of the day, your company might be free of vulnerabilities and absent of immediate threats. You might not need to change a thing. But in today’s world we all know that this wishful thinking. Neglecting to assess and address your cyber risk is like driving 70 mph down the highway knowing that your breaks are overdue for a check-up and with no seatbelt. Even if you survive the crash—it will be costly. Why take that risk?
OK, what does Assured Enterprises
have that others don’t?
To be fair, similar companies are out there, many with tools that you’d need to be successful in cyber risk management. However, what really sets us apart is our philosophy and what we believe is the gold standard approach to cyber risk assessment and cyber security. A few of our flagship products that embody the paradigm shift we’ve already made in the way cyber risk is managed are:
• TripleHelix®: The most comprehensive cyber risk assessment system available. TripleHelix® provides Assured’s clients with a clear picture of their current cybersecurity posture in the form of a CyberScore®, along with a comprehensive, written roadmap that details both cost-effective improvements to your environment you can implement now and lays out a plan for future improvements.
• AssuredScanDKV®: AssuredScanDKV deep software scan automatically scans libraries, applications, and executables for known vulnerabilities, often those hard to detect or camouflaged. It works by unpacking software elements down to the l’s & 0’s leaving your actual data proprietary code, and IP secure. This system can protect against some 80% of the successful cyber-attacks on the market.
• Insurance Gap Analysis: Insurance protection can be complicated, confusing and sometimes the complexity creates inadvertent gaps in coverage. Our insurance gap analysis can also point you to innovative risk management solutions.
We have dozens of additional bleeding-edge technologies and services that incorporate the Assured Way of thinking through cybersecurity that simply none of our larger competitors have been nimble enough to realize or to invent.
Alright, this sounds interesting.
What is it going to cost?
Your solution depends on your industry, your size, essentially your unique needs. As mentioned, we offer an umbrella of cybersecurity products and services and can help you both understand and mitigate your cyber risk. Often times we bundle solutions to suit our clients’ needs. This saves money and ensures a holistic approach to risk management. When you’re ready, schedule a demo to learn more about our offerings.
If you’re in New York, however, you might want to start with our NYS DFS Bundle which includes your annual cyber risk assessment and the NYS-DFS CheckupTM to make sure you’re at least fully compliant with 23 NYCRR 500. We are currently offering a special initiation price for an assessment and the NYS-DFS CheckupTM starting at $999. Our goal isn’t to create a barrier between you and your understanding of your risk assessment and compliance posture, but to arm you with the information you need to protect your data.
Ultimately, we want to partner with you to relieve the burden these types of regulatory mandates place on your business, and to be your trusted choice for cybersecurity. Let us take on the cyber risk management to keep you both compliant and secure so you can focus on your business.
Rest Assured, our cost-effective, forward-thinking approach to cybersecurity laws and regulations with tactical, results-oriented solutions will allow you to manage your cyber risk, now and into the future.