NY SHIELD Act – Cybersecurity Compliance
Keep your business compliant with New York cybersecurity laws like the SHIELD Act and the NYDFS Cybersecurity Regulation (23 NYCRR Part 500)
Data Security Compliance for New York City Businesses
If you have employees or customers in New York state, your business is likely subject to New York’s SHIELD Act, which imposes significant data security requirements. Financial firms are subject to the even more stringent NYDFS Cybersecurity Regulation (23 NYCRR Part 500). In either case, failing to defend against hackers or properly safeguard your business data could result in hefty violation fines for your business.
IT on Demand can act as your cybersecurity team, implementing a data security program that keeps your business in compliance. We’re well-versed in New York’s cybersecurity regulations for financial firms, small businesses, and more. Avoid the headache of keeping up to date on changing regulations and let us handle your business’s cybersecurity compliance.
For All Businesses:
New York SHIELD Act
- Applies to anyone who owns or licenses the private information of a New York resident
- Purpose: to protect the security, confidentiality, and integrity of private information
- Requires businesses to implement a data security program with reasonable administrative, technical, and physical safeguards
For Financial Institutions:
23 NYCRR Part 500
- Applies to financial institutions who make greater than $5 million in annual revenue (limited exemptions are granted for smaller businesses)
- Purpose: to impose cybersecurity best practices and mitigate risks of cyber attacks directed at financial institutions
- Requires financial institutions to enact a detailed cybersecurity plan, including compliance with a checklist of 18 distinct requirements
What is the New York SHIELD Act?
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, passed in July 2019, is an amendment to an earlier data security law that is designed to better protect the private information of New York residents. It expands the definitions of private information and what constitutes a breach and imposes stricter requirements on businesses to implement reasonable data security measures. The law applies to anyone who owns or licenses the private information of a New York resident, which means it likely impacts most businesses across the country, not just those operating in New York.
SHIELD Act Requirements
The SHIELD Act requires businesses to implement reasonable administrative, physical, and technical safeguards. While there are exceptions for small businesses (defined as fewer than 50 people and less than $3MM annual revenue), all businesses need a data security program appropriate to the size and complexity of the business.
- Designate one or more employees to coordinate the security program
- Identify reasonably foreseeable internal and external risks
- Assess the sufficiency of safeguards in place to control the identified risks
- Train and manage employees in the security program practices and procedures
- Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract
- Assess risks in network and software design
- Assess risks in information processing, transmission, and storage
- Detect, prevent, and respond to attacks or system failures
- Regularly test and monitor the effectiveness of key controls, systems, and procedures
- Assess risks of information storage and disposal
- Detect, prevent, and respond to intrusions
- Protect against unauthorized access to or use of private information during or after the collection, transportation and destruction, or disposal of information
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed
How IT on Demand Can Help
We are capable of implementing and maintaining the safeguards required by the SHIELD Act to keep your business compliant. We will do a comprehensive audit of your systems to identify risks to your network, software, hardware, data, backup solutions, and more. From there, we can address any issues and monitor your networks on an ongoing basis to keep all private information secure.
What is the NYDFS Cybersecurity Regulation (23 NYCRR Part 500)?
The New York Department of Financial Services (DFS) Cybersecurity Regulation–also known as 23 NYCRR Part 500–is a law establishing cybersecurity best practices for financial institutions. Because financial firms are highly targeted by cyberattacks, the regulation imposes strict requirements designed to mitigate the risk of attacks. The law applies to any individual or agency regulated by the DFS, such as investment firms, banks, insurance companies, and third-party service providers who work with DFS-regulated entities.
23 NYCRR Part 500 Requirements
The law requires financial institutions to implement a comprehensive cybersecurity plan and adhere to a checklist of 18 distinct requirements, some of which include:
- Establishing a cybersecurity program to identify cybersecurity risks and detect, respond, report, and recover from cybersecurity events
- Maintaining written cybersecurity policies
- Appointing a Chief Information Security Officer (CISO) to manage the cybersecurity program
- Regular penetration testing and vulnerability assessments
- Conducting periodic risk assessments
- Employing cybersecurity personnel capable of implementing the security program
- Using multi-factor authentication to access the internal network from an external source
- Providing regular cybersecurity training for all personnel
- Encrypting nonpublic information
- Notifying authorities of a cybersecurity event
How IT on Demand Can Help
IT on Demand can act as your Chief Information Security Officer and cybersecurity team, saving you the burden of hiring costly cybersecurity personnel. We have experience working with some of the nation’s leading financial firms, so we know what it takes to safeguard your sensitive data from hackers and cyber threats. We will analyze your systems and put together a comprehensive cybersecurity plan in compliance with 23 NYCRR Part 500 requirements.
Get started now with a free business review and risk assessment.
12 Facts About Data Backup—a FREE Download
What if your company’s data was suddenly lost? How would you mitigate a disaster of those proportions?
Whether it’s data corruption or complete loss, the answer is preparation—in the form of data backup. This FREE resource from IT on Demand covers different types of data backup, how to choose the best type for your business…and much more, including frightening backup trends.