Nearly everyone is somewhat concerned about cybersecurity, but some U.S. states are getting serious by passing new laws and regulations. While Europe is beginning to deal with the General Data Protection Regulation (GDPR), New York and Colorado are bringing cybersecurity regulations closer to home for many of us. In the spring of 2017, the Colorado Division of Securities announced rules applicable to broker-dealers and investment advisors to govern how computer information is protected. Similarly, the New York State Department of Financial Services (NY DFS) created cybersecurity requirements for financial services companies (23 NYCRR 500). While 23 NYCRR Part 500 became effective back in March of 2017, the 180 day transitional period ended today, Monday August 28, 2017. This means that any entity conducting financial transactions in the state of New York is required to be compliant with this regulation unless they obtained an exemption. This also includes companies based in faraway states including Texas, California and even Colorado with their own rules. So cybersecurity regulations may apply to your backyard and even your neighbor’s backyard. And I doubt this will stop at just New York and Colorado.
So what does this mean for companies doing business in New York? Like any regulation, there are many details and impacted readers are encouraged read the details for themselves and ensure their company is compliant. As a brief summary, the covered entity must begin with a cybersecurity program that implements and maintains a cybersecurity policy. These require a CISO, penetration testing, validation assessments, audit trails, limited access privileges, application security, risk assessments, multi-factor authentication, limited data retention, encrypted non-public information, and an established incident response plan. Many of these seem like common sense and may already be in place at your company. But if not, now there is a regulation and either way the results must be certified annually.
The next two key dates for 23 NYCRR 500 are September 27, 2017, when companies who believe they qualify for an exemption must file a notice of exemption. The next date is more impactful. By February 15, 2018, covered entities must have submitted their first certification on 23 NYCRR 500.17(b) and then this certification is required annually.
If you have already started the process of certifying your company, then good for you. If not, you need to first determine if you qualify for an exception and submit a notice, otherwise you will need to get busy with the certification process. Quest solutions can help customers ensure that their Microsoft environment adheres to security and compliance regulations including these new regulations from New York and Colorado. Quest provides governance, risk and compliance (GRC) solutions to help streamline and automate provisioning and permissions management, auditing, reporting, forensic analysis and backup and recovery.
Good luck everyone and let’s discuss strategies to effectively manage to these rules and regulations. And as always, let us know if Quest can help.