PaymentsSource recently published an article, “New York web rules are a signal to step up data protection,” authored by the CEO of Plixer, Michael Patterson. As we dive deeper into payment security in the coming weeks, we thought this was a topic worth sharing and looking further into.
Here’s the deal: a new regulation has been implemented in the state of New York called 23 NYCRR 500. There’s never been a regulation like this before and it’s been put in place to protect financial institutions and better ensure the security of personally identifiable information (PII).
Who does this apply to? The regulation covers all New York individuals or organizations that operate under a license, registration, charter, certificate, permit, etc. under New York banking, insurance or financial services laws. There are some breaks for smaller organizations.
The major intention of this regulation is for companies to evaluate their current security plans and identify areas of risk within their systems, so as to prevent and effectively handle anticipated cybercrime. The state of New York will keep track of everyone’s participation by making sure every organization files an annual certification confirming their compliance.
In this case, compliance entails “maintaining a cybersecurity program designed to protect the confidentiality, integrity and availability of its information systems.” Each plan should be based around six core functions and these include:
1. Identification and assessment of internal and external cybersecurity risks
2. Establishment of defensive infrastructure and policies that protect IT systems from malicious acts
3. Detection of cybersecurity events (i.e. data breaches)
4. Response to cybersecurity events
5. Management of cybersecurity events and recovery of normal operations
6. Implementation and management of a written policy for monitoring systems and responding to incidents
Who will be in charge of all that? Each organization must appoint an individual in the company that is responsible for managing the program’s core components and its policies.
In the coming months, we’ll be curious to see how the regulation is accepted among New York organizations and if other states will soon follow their lead.