In March 2017, the New York Department of Financial Services (DFS) officially adopted Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York. 23 NYCRR 500, or Part 500, was created to address the rise in cyber attacks over the past few years. This legislation requires that all organizations handling personal financial data of consumers in the state of New York make a measurable commitment to cyber security for their clients. It was recently expanded to also include consumer reporting agencies. The first submission of compliance with the new regulation is required by February 15, 2018.
Part 500 includes several provisions for cyber security, namely the requirement of the adoption of a comprehensive IT security program. This program must be able to address needs found in a regular risk assessment (another obligation under Part 500, and which also includes a minimum annual penetration testing), along with making every effort to protect nonpublic customer information.
This program must be carried out by qualified personnel employed by the organization, including an acting Chief Information Security Officer or anyone else with the training to fulfill the position’s duties, or by an authorized third-party service provider. The regulation also contains several conditions for the handling of this data, including adequate authentication and encryption, active monitoring and response plans, immediate public notification of any breach, and thorough documentation throughout each process.
This new law represents a shift in government’s attitude towards cyber security. Though the U.S. as a whole has not had as organized a response as some other nations, agencies on the state and federal levels are increasingly looking towards more proactive cyber security legislation. Part 500 is likely a sign of emerging standards for IT as network leaks continue affecting greater percentages of the population. Data protection will eventually become as regulated as personal safety in physically hazardous environments.
This will lead to expanded costs for every enterprise, but especially for small-and-medium-sized businesses for whom an internal IT department is a serious expenditure. Thankfully, regulations like Part 500 currently do have provisions allowing for these cyber security requirements to be outsourced to Managed Service Providers. MSPs like SWK NWS offer you the ability to meet compliance with the emerging data protection legalities without significantly expanding your overhead while helping protect your network from outside threats. You can read more about outsourcing IT here, or contact us with any questions you have.