Deadline to comply with cybersecurity legislation in New York
Following the adoption of strict regulations such as GDPR and CaCPA, New York takes vigorous action to demonstrate that cybersecurity is not optional
For ethical hacking specialists, this 2018 has been marked by the approval of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CaCPA). Ethical hacking experts from the International Institute of Cyber Security consider that these regulations represent a significant change in the way the business community manages and protects consumer information.
Despite the implementation of these regulations, the approval of the cybersecurity regulations of the New York State Department of Financial Services (23 NYCRR 500) has been unnoticed, the deadline to comply with this Act was September 4.
This is a set of regulations of the New York Department of Financial Services (DFS) that establishes new cybersecurity requirements in all financial institutions covered by this law. This law shall apply to all entities operating under license, registration or charter of the Department of Financial Services of New York, or otherwise governed by DFS.
While its counterparts GDPR and CaCPA refer to the duty to maintain safety practices and procedures equivalent to the risk of harm to consumers, the New York regulation explicitly demands a strong and unique application security program.
As marked in section 500.08: The cybersecurity program of each Covered Entity will include written procedures, guidelines and standards designed to ensure the use of safe development practices by the Covered Entity, as well as procedures to evaluate or test the security of in house and external applications used by the Covered Entity in its technological environment.
In other words, it is the duty of organizations to comply with an application security standard, while speaking of in house applications, as well as external developments, this law ensures that any software used by these organizations is analyzed, in addition, the law specifies that continuous analyses should be implemented.
Organizations that employ less than 10 people, who have produced less than $5M USD in annual gross revenues in each of the last three years, or have less than $10M USD in total assets at the end of the year are exempt from compliance with certain requirements of the regulation.
Ethical hacking specialists mention that the cybersecurity budget of an organization is usually invested for network protection, but application code vulnerabilities are the primary goal of hackers. This can be seen in any case of high-profile data theft known, where vulnerabilities lie in some unrepaired software, that is one of the reasons why this law includes a specific section of security in applications.