The first of the NYDFS 23 NYCRR 500 roadshow events in Rochester, NY on May 16, 2017 was a great success as numerous people from local financial services companies participated in a great forum to help organizations understand how to meet the new cybersecurity regulations that went into effect on March 1, 2017.
The event was held at Harter Secrest & Emery LLP in Rochester and started what will be a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging group of regulations.
The event started with an “Overview of 23 N.Y.C.R.R. Part 500 and Key Legal Challenges” by F. Paul Greene of Harter Secrest & Emery LLP. Paul focused on many of the legal issues around compliance, including what is a covered entity. Any organization regulated under the Banking, Insurance or Financial Services law is subject to this regulation. This includes foreign and out of state businesses that operate in New York and most likely applies to the whole organization, unless the organization has a segregated IT infrastructure.
Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”. Sponsored by Fasoo, this survey helped understand the current posture of readiness to comply with the new regulations. Some of the more interesting results are that most organizations do not believe they can meet the timelines for compliance, over 70 percent think a lack of knowledgeable personnel will hamper their efforts and most are very concerned about how to implement effective security policies for third party service providers.
Dr. Ponemon’s keynote was followed by a Panel Discussion – Pathway to Compliance – that was moderated by Kevin Cox from Brite Computers. Panel members included Dr. Ponemon, Paul Greene, Reg Harnish from GreyCastle Security, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo. There was a lot of discussion around doing a risk assessment and understanding what nonpublic information assets you have and where they are. This lead to insurance questions and how best to mitigate risk related to business continuity following a data breach. While insurance is critical to recovery from loss, it is not a substitute for a good cybersecurity program.
The event finished with questions from attendees on the most challenging areas in their companies for compliance. One bit of advice from the panel was to remember that the regulation is intended to protect companies and their customers by protecting sensitive information. While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business. That is the focus needed to improve the cybersecurity posture at each covered entity.
Fasoo wants to thank all the Rochester NYDFS 23 NYCRR 500 roadshow sponsors for all their support in making it an outstanding event.
Harter Secrest & Emery, LLP