Cybersecurity Deadline Approaches – Preparing your firm for the first phase of New York’s ’ Cybersecurity Rule 23 NYCRR 500

By Tim Buckler

Internal steel structure of modern car park, public building, red and black colors

The first phase implementation date of New York’s “Cybersecurity Requirements for Financial Services Companies” rule is August 28th, 2017.   The rule requires firms to develop and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of their information systems.  The program must be based on a risk assessment, identify and assess internal and external cybersecurity risks, use defensive infrastructure and implement policies and procedures to protect the firm’s information systems and Nonpublic Information; detect, respond to and recover from cybersecurity events; and, fulfill regulatory reporting requirements.

Seven sections of the rule become partly or completely effective on August 28th:

  • 02 Cybersecurity Program
  • 03 Cybersecurity Policy
  • 04(a) Chief Information Security Officer
  • 07 Access Privileges
  • 10 Cybersecurity Personnel and Intelligence
  • 16 Incident Response Plan
  • 17 Notices to Superintendent

What firms are required to follow the rule?

While broker-dealers and investment advisors are not specifically required to follow the rule, section 500.01(c) stipulates that “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”   In other words, if you are authorized to work under the Banking Law, you will probably need to follow the rule.

Qualifying for Exemptions

To find out if your firm qualifies for exemptions from some provisions of the rule, check the exemption list in section 500.19.   If at some point your firm no longer meets the requirements for the exemptions, you have 180 days to meet all in-force requirements.  If you plan to use an exemption, you will have to provide a notice to that effect with the NY DFS by September 27, 2017.  At the end of the rule, the NY DFS has provided a draft of the exemption notice. Then mark your calendar to routinely test to make sure your firm still qualifies for an exemption.

Next Due Dates

Don’t forget, this is only the first phase.  If you are a Covered Entity, you must submit a written statement to the NY DFS by February 15th, 2018 attesting your firm is in compliance with the first seven sections.  The deadline for the second phase is March 1, 2018 where five more sections become effective:

  • 04(b) CISO Report
  • 05 Penetration and Vulnerability Assessments
  • 09 Risk Assessment
  • 12 Multi-Factor Authentication
  • 14(b) Training and Monitoring

How Oyster Can Help:

Oyster Consulting’s cybersecurity services include developing and implementing risk assessments, policies and procedures, response and business continuity plans, among others.  Oyster has the background and perspective to help you build the cybersecurity program that is right for your firm. We are the right partner to help you bridge the gap where business and technology meet, ensuring that you have the resources to understand the threats and the ability to protect yourself.

About The Author
Photo of Tim Buckler

Tim Buckler

Tim Buckler has spent 10 years in the financial services industry, with a focus on project management, cybersecurity, data analysis, and compliance. Tim’s experience includes project management support for clearing platform conversions, cybersecurity assessments, GDPR and CCPA assessments, performing 12b-1 Mutual Fund fees analysis for regulatory initiatives, and ownership changes for custodial IRA held annuities.