Five IT Security Best Practices Derived from 23 NYCRR 500
Using 23 NYCRR 500 regulation to inform IT security best practices
Given the frequency of high-profile data breaches, there’s not likely to be any let-up in the pipeline of new and expanding compliance regulations that are forcing management and IT staff to strengthen their security posture. One of the newest laws affects a large number of companies that do business in the state of New York. Put forward by the New York State Department of Financial Services (NYDFS), regulation 23 NYCRR 500 outlines numerous provisions aimed at forcing financial services companies to be significantly more diligent in their efforts to reduce data breaches and the subsequent exposure of sensitive
Nearly all state-chartered banks, licensed lenders, private bankers, foreign banks, mortgage companies, and insurance companies operating in New York are affected. In addition, third-party service providers contracted by these regulated companies may also be required to meet compliance requirements, especially if these service providers store, process, or otherwise have access to the sensitive data of regulated companies.
Even those companies not required to comply with 23 NYCRR 500 should pay close attention as several other states are looking at following New York’s lead. California, for example, has enacted expansive regulations under the California Consumer Privacy Act, which goes into effect in 2020 and impacts every industry operating in the state, not just financial services.
The law is designed to force companies to protect sensitive consumer data in similar ways to Europe’s General Data Protection Regulation (GDPR), and in Washington, D.C., there are members of congress who would like to enact legislation at the national level that addresses data protection and privacy. Simply put, if your company hasn’t yet been mandated to strengthen IT security by one or more compliance regulations, this will likely occur sometime in the near future.