By now, we’re old hands at advising some of New York’s biggest firms — as well as many smaller enterprises — on their IT security strategies and awareness training. Part of our cybersecurity awareness training involves making our clientele aware of new compliance regulations that affect how businesses do computer-networked business. We’ve shared some key information in this article regarding the new DFS cybersecurity regulation in New York State below for your edification.

What You Need to Know About NY’s New Cybersecurity Regulation

Monday, August 28, 2017, marked the first compliance deadline for the New York Department of Financial Services’ (NYDFS) cybersecurity regulation 23 NYCRR 500. For those of you in organizations regulated by the DFS, you probably already know 23 NYCRR 500 was first implemented in March last year with the goal of establishing minimum security guidelines to protect financial institutions and their customers from cyber attacks.

These requirements span several security areas, but one recurring theme is the need for visibility into risks and ensuring only the right people have access to sensitive data. Read on for an overview of the regulation and how identity and access management can help with several of these compliance requirements.

I’m not based in NY – why should I care?

At first glance, it may look like you’re off the hook if you’re not principally part of a banking, insurance, or financial organization regulated by the DFS. But it might be worth taking a closer look – the regulation’s reach can be broader. For example, if your organization is an out-of-state bank with branches in New York, you still need to be in compliance.

And, because New York is also a global financial hub, the same goes for international financial organizations operating in New York. If you have financial services organizations as your clients or partners, requirements for third-party service providers might affect you, too. In short, if you’re doing any finance-related business in New York, you might also want to pay attention.

So, what does this first deadline mean?

The different sections of 23 NYCRR 500 had various deadlines, so you don’t need to panic yet if you’re still in the process of implementing all your changes. Monday’s date marked the first phase of compliance requirements, which included:

  • Establishing a cybersecurity program,
  • Creating and following a set of cybersecurity policies,
  • Assigning a CISO (or vCISO),
  • Limiting and periodically reviewing user access privileges,
  • Hiring qualified cybersecurity personnel, and
  • Establishing a well-written incident response plan.

Many of these requirements probably already existed in some form in your organization, but for all you procrastinators and perfectionists still tweaking details, you have until February 15, 2018, before you must submit your first certification of compliance.

What’s coming up next?

The remainder of the requirements are due in 2018 and 2019, so you’ve got some time. The next requirement deadline is March 1, 2018, where you’re supposed to have processes in place to:

  • Establish periodic penetration testing and vulnerability assessments,
  • Conduct periodic risk assessment of information systems,
  • Use multi-factor authentication or risk-based authentication,
  • Provide regular cybersecurity awareness training, and
  • Deliver an annual report by the CISO to the board of directors on the cybersecurity program and any risks.

After that, the next deadline is the eighteenth-month mark after the new cybersecurity regulation’s passing, September 3, 2018. That’s when organizations need to meet the following to stay compliant:

  • Maintain records and audit trails,
  • Establish and follow guidelines for application security,
  • Limit data retention and establish proper procedures for safe data disposal,
  • Monitor and detect unauthorized access of sensitive information, and
  • Encrypt nonpublic data in motion and at rest.

The final due date involves making sure your cybersecurity is iron-clad when it comes to your third-party security providers. You’ve got until March 1, 2019, to create and apply security policies to third-party providers accessing your data.

All the details are in the 23 NYCRR 500 regulation.

[Source credit:]

Already FINRA Secure? You May Still Need a Check-Up.

As a financial institution, bank, or another type of financial advisor, you may already be secure with FINRA guidelines. Nevertheless, any new cybersecurity regulation predicts a re-assessment of your security checklist and protocols. It’s a good idea anyway to have semi-regular check-ups on your security defenses, tools, and workplace policies, to get completely up to speed and not leave anything to chance or complacency.

We’re an Experienced IT Security Consultant in NYC

There are several tell-tale signs that you probably need the services of an experienced NYC IT security consultant. If you have suffered frequent (even semi-frequent) cyber threats either from within or without; or if you have had server exploit or exfiltration/infiltration issues at all, you should inquire with us. If you have any misgivings or fears at all that your IT network is vulnerable (about 80% or more of small to mid-size business owners), then you should call upon a helpful Krantz NYC IT security consultant right away.

The fact is, if companies the size of Sony Pictures, Apple, Equifax, Yahoo, and even NASA can get hacked, no small or medium-sized business (or even large corporation) is safe from the chance of suffering a disastrous and potentially costly cyberattack.

According to CSO Online, cyber attacks cost U.S enterprises $1.3 million on average in 2017—and over half of all cyber attacks were insider exploits. Consequently, you can’t overlook having proper, effective cybersecurity consulting in NYC – or anywhere within the reach of your network and affiliates, associates, etc.

In North America, the Kaspersky Lab study found that the following cyber-threat incidents had the most severe financial impact in 2017 (average numbers, up to Sept. 2017):

Financial impact on enterprises

  1. Physical loss of devices or media containing data ($2.8 million)
  2. Incidents affecting IT infrastructure hosted by a third party ($2.2 million)
  3. Electronic leakage of data ($1.9 million)
  4. Inappropriate IT resource use by employees ($1.1 million)
  5. Viruses and malware ($519,000)

Financial impact on SMBs

  1. Targeted attacks ($188,000)
  2. Incidents involving non-computing connected devices ($152,000)
  3. Physical loss of devices or media containing data ($83,000)
  4. Inappropriate IT resource use by employees ($79,000)
  5. Viruses and malware ($68,000)

[Source credit:]

Krantz Secure Technologies Can Save You from a Potential Compliance Violation

Contact a Krantz Secure IT pro today at (212) 286-0325 or by email at to get your evaluation scheduled, as there will be a rush to “get compliant” by banks, investment houses, and other financial firms. Stay ahead of the pack and the curve by letting us provide the IT, network, and email security tools and peace of mind that will keep you compliant with New York’s new cybersecurity regulation.

Call Now! (212) 286-0325

Looking for the very best in network services in New York City? Call Krantz Secure Technologies today to speak with one of our business technology specialists.