Not so fast! If you’re an insurance broker with clients in New York, the NY Department of Financial Services (NYDFS) 23 NYCRR 500 cybersecurity regulations still apply to your company.  Exempt means most brokers, bankers and all other financial service organizations need to complete a risk assessment and attest to them before April 15, 2020 to avoid fines and penalties.

I’m a small, exempt, business. Why is compliance important?

Often times, small to medium sized companies get the raw end of the deal when it comes to compliance. Higher expectations usually mean more money and more personnel, which is easier said than done.

NYDFS recognizes how cybercrime is wreaking havoc on the financial industry.  They want even the smallest companies to have basic security in place to best protect their clients and themselves. Why? Cyber criminals know small and medium sized companies tend to have lower security in place, making them a perfect target. In fact, according to Verizon’s Data Breach Report, 43% of cyber-attacks targeted small businesses.  NYDFS is leading the nation in getting the industry more cybersecure at all levels.

IT manages our cyber risk, right?

This is where the false sense of security is with many insurance brokers and organizations. Most IT departments or Manage Service Providers (MSPs) are focused on technology and data access.  They don’t know if you are conducting cyber security awareness training for your employees or if you have accurate security measures in place for vendors.

NYDFS wants businesses to move to a holistic and vigilant approach by building a cyber resilient culture that goes beyond technology.  To outpace the cyber criminals, you must create a culture of cybersecurity within your company that covers your people, processes, technology and vendors.

Not sure of your next step?  Here is a break down and what you need to do before April 15, 2020:

Compliance starts with knowing your risk across your organization

All financial services, regardless of size, must do the following to design and implement a cybersecurity program to meet regulations.

1 – Conduct a proper risk assessment that covers 14 topics around people, processes, technology and vendors.

2 – Make sure you have policies, procedures, and documentation that covers the 14 areas.

3 – NYDFS requires documentation for several plans: (Make sure you check with your IT and/or IT provider you have to make sure these plans are available regarding cyber breach!)

Lacking resources, time and expertise to get NYDFS 500 compliant by April 15, 2020?

We understand that compliance can feel overwhelming. It seems expensive, difficult, and almost unattainable.  The deadline looks like a huge mountain you have to climb.  At Third Rock, we offer CyberCompass®, a self-guided automation tool to make your compliance journey easier and affordable while still meeting the deadline.  

CyberCompass® is automated, cloud-based compliance software with built-in expertise that translates NYDFS government requirements into layman’s terms. It does most of the heavy lifting for your risk assessment, analysis, remediation and compliance documentation- including updated policies and procedures and all the required plans. There is no software to download or install and it can be accessed anywhere. Click here for a quick video about how CyberCompass® works with NYDFS compliance.  Note: If you are an ELANY member, check out this CyberCompass® offer to ELANY members!

Need assistance and want a compliance coach? Third Rock offers affordable expertise to help you get to the deadline. Don’t let cyber uncertainty keep you from protecting your business and your clients. Contact us today and see how we can prepare you for the NYDFS deadline and to best protect your clients and business.

The post EXEMPT is not a FREE PASS with 23 CRR 500 NY DFS appeared first on Third Rock.

The post Am I a Data Processor or a Data Controller? – Check the GDPR glossary appeared first on Third Rock.

If you are not yet GDPR-ready, you’re not alone. Many companies are still scrambling to meet the requirements. Some U.S.-based companies didn’t realize the law would apply to them. Others did not realize the full extent of the law – or of their own data collection! 

Don’t worry – whether starting from scratch or needing to document your current GDPR status, Third Rock’s CyberCompass™ streamlines the assessment process and automates the report generation, making it possible for Third Rock to give you a full report, including a prioritized list of action items, within a few days. Then, if needed, our consultants and technology partners can work with you to address the action items and come into compliance. Contact us today to schedule a GDPR assessment, the first step in becoming compliant.

GDPR – Automated. Simplified. Affordable.

The post The GDPR deadline is here – are you ready? appeared first on Third Rock.