In response to the ever-growing threat of cyber-attacks, the New York State Department of Financial Services enacted 23 NYCRR 500, which took effect March 1, 2017. The Cybersecurity Requirements for Financial Services Companies, require Covered Entities to develop a robust risk-based cybersecurity program that protects the confidentiality, integrity, and availability of nonpublic data.
At Sage, we’ve partnered with financial services companies for over a decade. We help increase their cyber resiliency by identifying and assessing risk, detecting cybersecurity events, and creating plans to respond to and recover from an incident.
Explore how our solutions can help you comply with 23 NYCRR 500 and better protect your customer information and secure your information systems.
In response to the ever-growing threat of cyber-attacks, the New York State Department of Financial Services (NYSDFS) has issued 23 NYCRR 500, which outlines cybersecurity requirements and regulatory minimum standards for financial services companies. It applies to any company subject to the authority of NYSDFS under New York banking, insurance, and financial services law. In it, they urge all “to move swiftly and urgently to adopt a cybersecurity program” as they’ve outlined in the regulations.
The core the New York cybersecurity regulation is developing a robust risk-based cybersecurity program that protects the confidentiality, integrity, and availability of nonpublic data. The program must be overseen and enforced by a qualified Chief Information Security Officer (CISO), who can either be in-house hire or a third-party.
The Program should:
At Sage, we’ve been partnering with the financial services sector for nearly two decades, helping them achieve their cybersecurity goals and compliance obligations. We understand that cybersecurity isn’t a one-size-fits-all proposition, which is why all our services are customized based on your unique needs and environment.
We believe that achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another. We offer a suite of services to support your entire cybersecurity lifecycle, including program development, education and training, tech testing, advisory services, plus nDiscovery Managed Threat Detection and nForensics Digital Forensics Service.
Explore how our services can help you become 23 NYCRR 500 Compliant or contact us for more information!
Section 500.04 requires you to designate a qualified CISO, and if you don’t have the available resources, you can utilize a third-party. This is great news, especially for organizations that don’t have an in-house resource or the budget to support a new hire.
Sage’s Cybersecurity Partnership Program provides guidance, counsel, and oversight, and can help alleviate this burden. We keep you up-to-date on the latest regulatory and cybersecurity updates through monthly webinars, plus it includes quarterly on-site meetings where your advisor will provide guidance on your cybersecurity initiatives.
Under 23 NYCRR 500, a senior officer must review all documentation and sign a certification of compliance on an annual basis. This means executives have to stay informed and be an active part of the cybersecurity conversation.
Our Executive Cybersecurity Readiness Program can help you keep Executives and Boards of Directors up-to-date on the latest cybersecurity landscape. The program includes an onsite board briefing, quarterly webinars, a cybersecurity resilience assessment, and a cyber incident response exercise.
An important part of the Cybersecurity Program outlined in the regulation is the ability to detect when a cybersecurity event occurs. This is not an easy task, especially if you don't have a dedicated in-house resource.
Tyler Detect combines human expertise with the latest threat intelligence and advanced data analytics to quickly and accurately detect threats across your entire environment. We validate the breadth of an incident and deliver remediation recommendations to you within minutes.
The NY regulation includes requirements for a myriad of cybersecurity policies and procedures, including risk management, incident management, and disaster recovery, to name a few. But it doesn't include a prescriptive, one-size-fits-all approach.
Sage offers a suite of Cybersecurity Advisory Services that can help you develop a program that is right for your organization. We're 100% focused on cybersecurity, and have decades of experience interpreting and contextualizing the latest threat intelligence to deliver insight, guidance, and counsel to inform all aspects of your program.
Section 500.05 calls for penetration testing and vulnerability assessments to appraise your cybersecurity program's effectiveness. At Sage, we think it's also a great way to inform your cybersecurity strategy moving forward.
We have nearly two decades of experience tailoring a variety of Cybersecurity Assessment Services to our clients' specific environments. We deliver concise, actionable findings and effective remediation recommendations. Plus, our knowledgeable security experts are available to discuss findings and support you on follow-up issues.
Vendors and third-parties with access to systems housing nonpublic data are specifically called out in the regulation. There are several requirements related to ensuring that they are compliant with security standards, tested, and verified.
Sage’s Service Provider Cybersecurity Assessment Program supports the management of all your third-party service providers and ensures you are in compliance with 23 NYCRR 500, utilizing the most recent FFIEC guidance provided by Appendix J of the FFIEC Business Continuity IT Handbook.