Exempt. When we hear that word, we think about being “off the hook” or that we have immunity. We feel free of meeting the same expectation as someone else.  We’ve escaped fulfilling requirements.

Not so fast! If you’re an insurance broker with clients in New York, the NY Department of Financial Services (NYDFS) 23 NYCRR 500 cybersecurity regulations still apply to your company.  Exempt means most brokers, bankers and all other financial service organizations need to complete a risk assessment and attest to them before April 15, 2020 to avoid fines and penalties.

I’m a small, exempt, business. Why is compliance important?

Often times, small to medium sized companies get the raw end of the deal when it comes to compliance. Higher expectations usually mean more money and more personnel, which is easier said than done.

NYDFS recognizes how cybercrime is wreaking havoc on the financial industry.  They want even the smallest companies to have basic security in place to best protect their clients and themselves. Why? Cyber criminals know small and medium sized companies tend to have lower security in place, making them a perfect target. In fact, according to Verizon’s Data Breach Report, 43% of cyber-attacks targeted small businesses.  NYDFS is leading the nation in getting the industry more cybersecure at all levels.

Reserved: NYDFS regulation 500.19(a)(1) – You are entitled to this exemption when a Covered Entity has fewer than 10 employees, including independent contractors.  This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance.

IT manages our cyber risk, right?

This is where the false sense of security is with many insurance brokers and organizations. Most IT departments or Manage Service Providers (MSPs) are focused on technology and data access.  They don’t know if you are conducting cyber security awareness training for your employees or if you have accurate security measures in place for vendors.

NYDFS wants businesses to move to a holistic and vigilant approach by building a cyber resilient culture that goes beyond technology.  To outpace the cyber criminals, you must create a culture of cybersecurity within your company that covers your people, processes, technology and vendors.

Not sure of your next step?  Here is a break down and what you need to do before April 15, 2020:

Compliance starts with knowing your risk across your organization

All financial services, regardless of size, must do the following to design and implement a cybersecurity program to meet regulations.

1 – Conduct a proper risk assessment that covers 14 topics around people, processes, technology and vendors.

2 – Make sure you have policies, procedures, and documentation that covers the 14 areas.

3 – NYDFS requires documentation for several plans: (Make sure you check with your IT and/or IT provider you have to make sure these plans are available regarding cyber breach!)

Risk Management Plan Outlines what you are doing to prevent cybercrime, improve cybersecurity and information protection and reduce cyber risk
Incident Response Plan Details action to respond to an incident across your organization
Business Continuity/Disaster Recovery Plan Details actions to minimize and recover from a breach across your organization
Breach Notification Plan Defines who you need to notify, when to notify and how to notify to avoid penalties and limit liabilities

Lacking resources, time and expertise to get NYDFS 500 compliant by April 15, 2020?

We understand that compliance can feel overwhelming. It seems expensive, difficult, and almost unattainable.  The deadline looks like a huge mountain you have to climb.  At Third Rock, we offer CyberCompass®, a self-guided automation tool to make your compliance journey easier and affordable while still meeting the deadline.  

CyberCompass® is automated, cloud-based compliance software with built-in expertise that translates NYDFS government requirements into layman’s terms. It does most of the heavy lifting for your risk assessment, analysis, remediation and compliance documentation- including updated policies and procedures and all the required plans. There is no software to download or install and it can be accessed anywhere. Click here for a quick video about how CyberCompass® works with NYDFS compliance.  Note: If you are an ELANY member, check out this CyberCompass® offer to ELANY members!

Need assistance and want a compliance coach? Third Rock offers affordable expertise to help you get to the deadline. Don’t let cyber uncertainty keep you from protecting your business and your clients. Contact us today and see how we can prepare you for the NYDFS deadline and to best protect your clients and business.

%d bloggers like this: