Back in February the Governor of New York, Andrew M. Cuomo, announced they will be introducing the first in the nation cybersecurity regulation that would protect New York’s financial services industry and its consumers from the threat of cyber attacks and it would become effective March 1, 2017. Then on March 1st Superintendent of Financial Services in New York, Maria T. Vulo, promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies that must be in place by August 28th, 2017. New York State Department of Financial Services Superintendent Maria T. Vullo said, “With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information. As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks.”

The requirements will span to several security areas and have many new requirements but the over all theme is the need for visibility into risks and ensuring that only the right people have access to sensitive information.

Now that the first deadline has past what does this mean? 23 NYCRR 500 is in effect but do not worry if you are still getting all the requirements in place as different sections have different deadline dates. The first phase compliance requirements that must be in place are:

  • Establishing a cybersecurity program
  • Creating and following a set of cybersecurity policies
  • Assigning a CISO
  • Limiting and periodically reviewing user access privileges
  • Hiring qualified cybersecurity personnel
  • Establishing a written incident response plan

So now you are asking yourself, “how does this directly affect my organization?” For all those who do business in New York these new regulations must be in place within your organization by the established dates or your organization will be face hefty fines. However, if you are not in New York or do no business in New York this does not directly effect you right now but could in the near future. With New York being a a financial hub this may be only the beginning of something that could go national very soon. So your organization may not need to be following these regulations but should still be aware of what the rules and regulations are and possibly look into what your organization would need to comply with.

Here is what to expect with the next few requirements that are coming up. The next requirements do not have deadlines until 2018 and 2019 so your organization has some time. The next requirement has a deadline of March 1st, 2018 and it requires and organization to:

  • Establish periodic penetration testing and vulnerability assessments
  • Conduct periodic risk assessment of information systems
  • Use multi-factor authentication or risk-based authentication
  • Provide regular cybersecurity awareness training
  • Deliver an annual report by the CISO to the board of directors on the cybersecurity program and any risks

Following that deadline the next regulation must be in place by September 3rd, 2018 and requires:

  • Maintain records and audit trails
  • Establish and follow guidelines for application security
  • Limit data retention and establish proper procedures for safe data disposal
  • Monitor and detect unauthorized access of sensitive information, and
  • Encrypt nonpublic data in motion and at rest

The final deadlines involve marking sure each financial institution have all their cybersecurity ducks in a row when it comes to their third party security providers and that does not go into effect until March 1st, 2019.

To read all about these new cybersecurity requirements click here.

Now you are saying, “Wow that is a lot to be ready for and that could really overwhelm my staff, how can Sath help us?” As experts in the Identity Access and Governance space since 2004 there has not be an issue or situation we have not seen. From thought leadership to road-mapping to implementation we have the ability to help any organization with any issue that concerns IAM.

A large requirement that must be met under the 23 NYCRR 500 is limiting access privileges, conducting a risk assessment and monitoring access of sensitive information. Sath offers a variety of services that would help an organization satisfy these new regulations. 

Of the requirements coming up in March 2018, Sath offers a set comprehensive services that would get an organization in compliance with all the required regulations. With a proven track record of implementation of multi-factor authentication services and providing risk, reliability and penetration testing services Sath can cover all the requirements your organization needs.

To reach Sath and discuss how we can help your organization with any and all your IAM and compliance needs email us at