In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. This new regulation lays-out reporting requirements in the event of a data-breach and limitations regarding retaining data.
23 NYCRR 500 issues uniformed guidelines on a number of measures to undertake for enhanced data protection. Some of the requirements include regular risk assessment, documenting and enforcing cybersecurity policies, designate a full-time or part-time Chief Information Security Officer (CISO), conduct periodic tests, and more.
The NYCRR primarily contains state agency rules and regulations adopted under the State Administrative Procedure Act (SAPA). The 23 Titles include one for each state department, one for miscellaneous agencies and one for the Judiciary. The Office of Court Administration and the Judiciary are exempt from SAPA requirements.
You must appoint a qualified individual to be the company’s CISO who’ll be accountable for executing & enforcing the cybersecurity policy in the organization. The Chief Information Security Officer can be either ‘in-house’ or a third-party service provider.