Cybersecurity Requirements for
Financial Services Companies 23 NYCRR 500
This is the title of a recent regulation enacted by the State of New York. It is anticipated that other states will enact similar cybersecurity requirements.
The regulation has several elements. Some are very broad and vague. Let’s take the definition given for an Information System, as an example…
“Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”
The easy interpretation is, “Oh yea, the computers.” But what about:
- Audio and video eavesdropping devices and data snoops which commandeer an organization’s Wi-Fi system? Verbal and data information instantaneously whiz off to an eavesdropper or computer server on the Internet somewhere.
- The entrance door’s request-to-exit ceiling sensor that intruders can bypass, thus letting them in on off hours?
- Or, any of the other Internet-of-things whose systems can be hacked and exploited for voice, video or data extraction?
You may have all the computers covered, but you will need a technical security consultant to catch all the other Achilles heels. The service provided is called Enhanced Technical Surveillance Countermeasures (TSCM). This is a traditional TSCM bug sweep inspection combined with an on-site information security survey.
Richard Fernandez, executive vice president, professional lines at AmWINS Brokerage of Georgia, specializes in cyber liability. He has said, “Cyber policies also cover regulatory fines, penalties and proceedings, which is a major driver for financial institutions to get cyber insurance. Not that they have much choice in the matter. The cost to not being in compliance will be too high and can easily run into the millions of dollars.” He is correct. Cyber insurance is a good idea, but unlike TSCM, it can’t prevent an information loss disaster in the first place.
The phase-in timeline for New York’s Cybersecurity Requirements for Financial Services Companies 23 NYCRR 500…
• March 1, 2017 – 23 NYCRR Part 500 becomes effective.
• August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
• February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
• March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
• September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
• March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
Your next thoughts might be…
If you have additional questions, or would like to add TSCM to your security and compliance effort, please contact me directly.
Kevin D. Murray CPP, CISM, CFE, CDPSE is a business counterespionage consultant and TSCM specialist with over four decades of experience.
Murray Associates is an independent security consulting firm, providing eavesdropping detection and counterespionage services to business, government and at-risk individuals.
Headquartered in the New York metropolitan area, a Murray Associates team can assist you quickly, anywhere in the United States, and internationally.