What is the New York Cybersecurity Regulation? What you need to do to comply

Officially called 23 NYCRR 500, this regulation requires financial services firms doing business in New York to have a full security risk assessment and plan.

In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Although many experts see the regulation as flawed, 23 NYCRR 500 is expected to set a precedent for cybersecurity laws and regulations in other states.

Given the importance of the financial services industry to New York’s economy, it’s easy to see why the DFS enacted the regulation. New York is home to many of the leading global and domestic financial institutions, which represents about 30 percent of the state’s gross domestic product (GDP). If that industry falters, New York takes a big hit in terms of revenue, jobs and reputation. The regulation enforces organizations to adhere to what the DFS considers a minimum standard set of security best practices.

Setting a cybersecurity regulation standard for the U.S.

Much like the European Union’s General Data Protection Regulation (GDPR), the New York Cybersecurity Regulation has far-ranging geographic reach.  “Because New York is such a big market, [23 NYCRR 500] will have a sweeping effect on companies within the United States headquartered outside of New York, as well as companies that are headquartered outside of the United States,” says Harley Geiger, director of public policy at Rapid7. “In this way, the regulation is similar to GDPR. A lot of U.S.-based companies, because they do business in Europe, are now finding themselves in the position where they have to comply with EU regulations.”

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!