The NYCRR 500 Transition Period Is Over – Are You In Compliance?

Six months ago, the New York State Department of Financial Services formally adopted a set of cybersecurity requirements for banks, insurance companies, and other financial services companies that operate in New York. These requirements, commonly known as NYCRR 500, represent the first real cybersecurity law in the United States. After an initial 180-day transition period, several of the law's provisions are now in effect.

As of August 28, 2017, banks, insurance companies, and other organizations licensed by the New York DFS are required to comply with the following mandates:

  • Create a cybersecurity program and define a cybersecurity policy
  • Implement proper access controls for sensitive information
  • Ensure that cybersecurity personnel are qualified and adequately trained
  • Create an incident response plan and a process for notifying the DFS of security incidents

Security incidents such as data breaches must be reported to the DFS within 72 hours if the incident "has or had a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity." While this requirement was one of the primary sources of confusion when the regulations were first announced, the DFS has provided some additional guidance on reportable events and other topics in an online FAQ document.

What's Next?

This is only the first of four phases that the New York DFS has defined for NYCRR 500 compliance. Between now and 2019, financial services organizations (other than the few that will qualify for exemptions) will need to update their cybersecurity practices to meet the law's other requirements.

The next key date will be March 2018, when mandates for CISO appointment, penetration testing, risk assessment, and employee training take effect. Conveniently or not, this is only two months before the effective date of Europe's General Data Protection Regulation, which contains many similar provisions (and will affect many of the same organizations covered by NYCRR 500).

Smartcrypt Can Help

PKWARE's Smartcrypt can help your organization meet many NYCRR 500 requirements. Smartcrypt's unique ability to detect and encrypt sensitive information on user devices, file servers, and other IT assets can help you protect your data against internal and external threats and demonstrate compliance with the New York financial services law and other regulatory obligations.

Among other benefits, Smartcrypt can help you satisfy the following NYCRR requirements:

  • Risk assessment (Section 500.09)
  • Encryption of nonpublic information (Section 500.15)
  • Application security (Section 500.08)
  • Audit trails and activity monitoring (Section 500.06 and Section 500.14)
  • Third party security policies (Section 500.11)

To learn more, check out our NYCRR 500 compliance page, or contact one of our data protection experts today.