In our third edition of the Insider Threat podcast, we turn from the bad guys attacking you to auditors attacking you. That’s a joke, but I know it does reflect the way it can feel sometimes. Many folks will ignore NYCRR 500 because they see “NYC” and think that means it isn’t about them, or they know it is being put out there by the New York State Department of Financial Services (DFS) and think that means it will not apply to them since they are not a financial. The scope of NYCRR 500 is limited to organizations New York’s DFS regulates, but that net is wider than it appears. It certainly reaches outside of New York because it will affect anyone doing finance-related business in New York or “subsidiaries or affiliates” of such organizations. Which means it may be non-finance organizations with the right sort of ties to a financial. Specifically, the DFS says on their website.
When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies (see 23 NYCRR Sections 500.09, 500.02 and 500.03, respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances.
Like so much else with any regulation that is yet to be tested in court, the actual details will become clear over time. It is safe to say that simply being outside New York and not being a financial aren’t enough to rule it out.
If you’re a security pro and looking at this as yet another PITA regulation, you may be pleasantly surprised. I won’t spoil all the fun we had in the podcast, but it is suffice to say that the provisions in this regulation are reasonably clear and prescriptive – as far as regulations go. In fact, it may be that security pros will be able to use this regulation as leverage to get better controls and security event monitoring from the business. I have always been a proponent of the idea that the auditor can be your friend in the right circumstances. When you find that your interests align with the auditor’s, then you can get a naive quid pro quo going. You use the auditor to get the attention (and budget) from the business, and they use you to get the controls in place effectively so they can put a win in their book.
Click Here to listen to the podcast.
To read the blog 4 Steps to Ensure NYCRR 500 Compliance, please click here.
To be notified of Insider Threat Podcast episodes, sign up here.