Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Could New York’s new cybersecurity rules be a burden for SMBs?

Could New York’s new cybersecurity rules be a burden for SMBs? 

The new Cybersecurity Requirements for Financial Services Companies, which is also known as 23 NYCRR 500, took effect on March 1st this year. It is meant to address the growing cybersecurity threats posed by terrorist organizations, and individual actors to the state’s financial services industry.

The regulations require businesses to carry out certain tasks that will enhance their security posture. In some instances, this includes: appointing a chief information security officer, formulating a cybersecurity program, develop and maintain a cybersecurity policy, conduct a regular risk assessment and penetration testing; keep an audit trail for several years; and more.

The regulation prescribes the use of multi-factor authentication, limitations on data retention, and encryption of non-public data.

Related content




It also requires businesses to notify the DFS superintendent of the occurrence of a cybersecurity event no later than 72 hours from the determination that the event occurred.

“Cybercriminals can cause significant financial losses for DFS (NY Department of Financial Services) regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes,” according to the NYCRR 500. “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.”

The document said that the regulations are meant to promote the protection of customers’ information as well as the IT systems of the regulated businesses.

But at least one cyber risk services and advisory company argues that the cost of complying with the regulations could be too expensive for some businesses.

“While these mandates are certainly a step forward for cybersecurity, many small and mid-sized banks and financial institutions may not have the resources to hire the people, implement the processes, and purchase the technology required in the regulatory standard,” wrote lawyer and cybersecurity issues expert Joseph Abrenio, in a blog he wrote for cyber risk services and advisory company Delta Risk in November last year.

For instance, he said, the regulation requires covered businesses to designate a qualified individual to serve as the company’s CISO.

“With most CISOs commanding a six-figure salary, and a limited pool of candidates to hire from, smaller financial institutions may struggle to achieve this requirement,” Abrenio said.

He also said that provisions covering cybersecurity policies, third-party vendor policy, and incident response plans would require many small companies to hire outside experts trained in cyber security policies and processes.

“While the financial burden associated with 23 NYCRR 500 is significant, failure to comply with these new regulations could be catastrophic,” Abrenio wrote. “Along with potential civil penalties imposed by the NYDFS, financial institutions, banks, and their leadership could be exposed to legal liability.”

Bob Covello, a blogger for tech open source cybersecurity solutions firm Alien Vault, wrote today that the regulation has undergone two revisions already prior to its final release.

“The original regulation was very strict, and many of the requirements of the original proposal were moderated so as not to cripple small and medium-sized businesses,” he said.

He said 23 NYCRR 500 applies to firms that have more than 10 employees or that meet the specific gross revenue requirements detailed in the regulation over the course of three years must abide by the full regulation.

However, it does provide some exemptions from certain provisions for businesses with fewer than 10 employees, firms with less than US$5 million in annual revenue, and those with less than $10 million in year-end total assets.

Both Covello and Abrenio believe it is very likely that other states will follow New York’s lead.

“While these regulations are set to only apply to New York covered entities now, financial institutions and banks throughout the country should see the writing on the wall, as New York has historically been a trendsetter in cyber security regulations,” said Abrenio. 

“The effects of this regulation are rippling through many organizations, as it places direct responsibility for cyber security on the Board of Directors or any similar senior management positions within a covered entity,” according to Covello. “Cyber security has truly hit the C-Suite in New York State. The big question now is: will other states follow New York’s lead?”

Related posts