plans in place to address all of the compliance gaps<\/li>\n<\/ul>\nIf you do not have a CISO, you most likely will require some external assistance. We have summarized the regulation in lay terms, but you should seek the advice of a professional to help guide you by providing an assessment of your current state compared to the regulatory requirements.<\/p>\n
That is a great place to start. And reading the overview of the regulation ahead of time will help you understand not only the specific requirements but how they are related.<\/p>\n
#2 – Build an NIST Framework<\/h3>\n
Organizations can move forward and implement the requirements in this regulation piecemeal, but a more strategic approach would be to build out a security framework, through which you satisfy the NYS-DFS requirements and numerous other state and federal cybersecurity regulations.<\/p>\n
Use of a security framework has the added benefit of ensuring you follow best security practices to protect your organization\u2019s information and customers. The National Institute of Standards and Technology\u2019s (NIST) Cybersecurity Framework (CSF) is an industry standard framework you can use for this purpose.<\/strong><\/p>\nThe most important thing to note about NYS-DFS is that it is based on the NIST CSF, which is built around these five functions:<\/p>\n
\n- Identify<\/i>: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.<\/li>\n
- Protect<\/i>: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.<\/li>\n
- Detect<\/i>: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.<\/li>\n
- Respond<\/i>: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.<\/li>\n
- Recover<\/i>: Develop and implement the appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity event.<\/li>\n<\/ul>\n
You can, therefore, use the CSF as a basis for meeting the new regulations. The benefit of this approach is that you can then use CSF to support\u00a0othe<\/i>r compliance regulations you may need to meet and be able to effectively report on a range of compliance requirements.<\/p>\n#3 – Develop a Compliance Strategy<\/h3>\n
Achieving compliance and overcoming cybersecurity challenges can be a lot for one business to take on at once. Here\u2019s our recommended approach:<\/p>\n
\n- Identify your unique culture, circumstances, and what changes are required to meet regulatory deadlines that will be impacting your business.<\/li>\n
- Focus on where you need help and work to identify and mobilize the right assistance whether it\u2019s a person or a team.<\/li>\n
- Make sure to address planning, gap analysis, design and implementation of changes required by the NY DFS Cybersecurity regulation.<\/li>\n
- Take into consideration whether this effort will require you to enable and sustain change, improve operational performance and transform and grow your business.<\/li>\n<\/ul>\n
Once you have taken a broader look at your organization to develop a compliance strategy, start by prioritizing the largest gaps in your program by due date and complexity. You\u2019ll need to take action on these as soon as possible.<\/p>\n
Then determine whether you can address these internally with your staff, or if whether you need to add resources or outsource some or all of the work needed to be compliant. An organized approach that deconstructs the regulation into smaller components is the best way to \u201ceat the regulatory elephant.\u201d<\/p>\n
Final Thoughts<\/h3>\n
This effort may appear to the uninformed as an overhead expense that is a distraction for your company, but in reality it improves your company by mitigating cyber-risks, as well as protecting you and your customers! It is a necessary cost for reaping the many benefits of doing business in the technology age.<\/p>\n
In summary, the NY DFS Cybersecurity regulation is in play now and impacting carriers doing business in the state of NY. Similar regulations will undoubtedly affect carriers in other states. Getting your CISO in place is critical and planning your compliance strategy should be a priority.<\/p>\n
Not sure how to get started? Let\u2019s do it together. Our blend of industry perspective, business and technology services combined with a flexible, local delivery approach allows us to help you achieve compliance and strengthen your position in the market.<\/em><\/h4>\n
\nAbout NY DFS Regulation 23 NYCRR 500<\/h2>\n
Due to the increasing number of cyber events and estimates of potential risk to our financial services industry continuing to grow, this regulation was implemented to promote the protection of customer information as well as the information technology systems of regulated entities.<\/p>\n
This regulation requires each company to assess its own specific risk profile and design a program that addresses its risks in a robust fashion. The regulation took effect on March 1, 2017 and requires that banking, insurance and financial services organizations regulated in the state of NY be fully compliant with the regulation by March 1, 2019.<\/p>\n
\n Authors & Contributors:<\/strong> Robert Hunter, Errol Yudelman and Sean Sweeney<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"With so many cyber threats and regulatory changes, how do keep your insurance business intact – and successful?<\/p>\n","protected":false},"author":198,"featured_media":17663,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","footnotes":""},"categories":[1],"tags":[19114],"coauthors":[15502],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2024-07-21 20:18:10","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category"},"_links":{"self":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/13997"}],"collection":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/users\/198"}],"replies":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/comments?post=13997"}],"version-history":[{"count":0,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/13997\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/media\/17663"}],"wp:attachment":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/media?parent=13997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/categories?post=13997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/tags?post=13997"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/coauthors?post=13997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}