The time has never been better to get in Cyber Shape!! The New York State Department of Financial Services’ Cybersecurity Regulation, and its requirements, is getting nationwide attention. 23 NYCRR Part 500, commonly known as “Part 500”, became effective March 1, 2017. It is a regulation that directly affects “Covered Entities” but also has third-party vendors in its grip. Covered entities include Banks, Mortgage Brokers and Insurance Companies, among others. Third-party vendors are those who provide services to a covered entity, such as a law firm, accounting firm, etc.
Superintendent Maria Vullo is actively trying to get other states to follow New York’s lead as respects focusing on steps to take prior to a data breach, otherwise known as “Breach Mitigation.” Colorado recently sent its regulation that applies to broker dealers to the Colorado Attorney General for review. Virginia Governor Terry McAuliffe has been pushing for States to beef up their Cybersecurity. In fact, 38 Governors just signed a Cybersecurity compact calling for universal Cybersecurity measures to protect State systems and data. This initiative is known as Meet the Threat. Companies can no longer close their eyes to Cybersecurity or they may risk being sued for not meeting the Standard of Care in protecting the data of others.
For those organizations effected by Part 500, the August 28, 2017 deadline to develop a Cybersecurity Program; a Cybersecurity Policy; designate a CISO; retain Cybersecurity Personnel & Intelligence; develop a Disposal Policy; determine Access Privileges; and an Incident Response Plan is breathing down their necks! The next deadline of March 1, 2018 cannot be dismissed as any less daunting. https://www.dfs.ny.gov/industry_guidance/cyber_faqs
The third-party vendors who service Covered Entities should not stand idly by as the sooner they start getting their Cybersecurity plan in place the more likely they are to continue being used as a third-party vendor for a Covered Entity as opposed to getting pushed to the curb like any other redundant service. Penetration and vulnerability testing, while using counsel to guide the process and to maintain attorney client privilege, is a great idea for third-party vendors to do right now to identify what problems may be lurking so proper steps, including budgeting for this enormous project, may be get started.
The NYSDFS recently published answers to frequently asked questions on its website. https://www.dfs.ny.gov/industry_guidance/cyber_faqs. The answers provide guidance and the language used is, for the most part, non – threatening which is a positive thing. We continue to monitor and assist clients with their Part 500 compliance. We are also watching to see whether any members of the State Assembly are going to step in and provide help for smaller companies who may not have the resources to satisfy the pressing deadlines and requirements of Part 500.