Cloud IBR is not a law firm, nor do we offer legal advice. When specific legal questions arise, you should always consult with an attorney.
In June 2023, the New York Department of Financial Services (NYDFS) issued an amendment to 23 NYCRR Part 50, referred to as “the Cybersecurity Regulation.” This legislation was introduced in 2017 in response to an increase in data breaches and cyber threats impacting financial service companies. Since its inception, there have been several amendments. We will be looking at the latest, specifically part 500.16, which deals with business continuity and disaster recovery (DR).
What Businesses Does the NYDFS Cybersecurity Law Apply To?
The NYDFS oversees the greater financial services industry which includes insurance companies, lenders, banks, charitable foundations, among others. In general any institution that needs a license from the NYDFS must follow this regulation, unless they qualify for an exemption.
When Does a Business Qualify for an Exemption?
Under section 500.19 there are six subsections that offer exemptions. All of these cover the incident response plan, meaning businesses that qualify do not need to comply with the business continuity and disaster recovery (BCDR) requirements.
To view how these exemptions apply to other areas, visit NYDFS Cybersecurity Resource Center.
Here is what is needed to qualify:
500.19(a)
There are three ways a covered entity can qualify:
- Total employees, including contractors, for the business and its affiliates must be under 20.
- Combined annual revenue for a business and its New York State affiliates must be under $7.5 million for each of the past three years.
- Combined year-end total assets for a business and all its affiliates must be under $15 million.
500.19(b)
A business must be part of another DFS-regulated business and fully covered by its Cybersecurity Program.
500.19(c)
A business must have no involvement with any information systems or possess any nonpublic information.
500.19(d)
A business must be a captive insurance company with limited nonpublic information (only that of the parent company and affiliates) allowed.
500.19(e)
You must be an inactive insurance broker who:
- Doesn’t use any computer systems or handle private customer information
- Hasn’t sold or helped with any insurance policies for at least a year
- Doesn’t have any other type of license that would make you subject to the cybersecurity rules
500.19(g)
You must be one of the following AND not be covered by any other cybersecurity rules because of a different license you hold:
- A charitable organization that sells annuities
- A risk retention group that’s not based in New York
- An insurance agent who is not currently active
- A mortgage loan originator who is not currently active
- A specific type of reinsurance company
Submitting Notice of Exemption
For information on the exemption timeline and how to file visit the NYDFS Cybersecurity Resource Center
What are the BCDR Plan Requirements?
Your company’s BCDR plan should ensure the continuity of operations by safeguarding the well-being of employees, assets and sensitive information in case of any disruptions to your computer systems.
Here are some essential components your plan should include:
-
Identify what’s essential:
Determine the vital documents, data, infrastructure, equipment, services, personnel and expertise required for the company to function.
-
Assignment of responsibilities:
Clearly define the individuals in charge of executing each aspect of the plan.
-
Communication strategy:
Establish a protocol for reaching out to stakeholders in case of emergencies. This could include employees, partners, regulatory bodies, service providers, recovery specialists, senior management personnel and other essential parties crucial for resuming operations.
-
Recovery procedures outline:
Develop guidelines on swiftly recovering important data and systems to expedite business recovery after a cyber incident.
-
Data backup protocol:
Regularly create backups of data and securely store them at an off-site location.
-
Identification of external partners:
Identify external entities that play a significant role in maintaining the functionality of your computer systems.
Additional requirements:
- Ensure that the plan is easily accessible to the individuals, granting them access even in the event of a cyberattack.
- Train everyone involved so they know their roles in the plan.
- To comply with disaster recovery testing best practices, plans should be tested at least once a year with key personnel involved making necessary adjustments to the plan.
- Regularly check that you can restore your critical data and systems from your backups.
- Protect your backups from unauthorized alteration or destruction.
How Cloud IBR Can Help with Compliance
Say hello to DR simplicity with Cloud IBR’s automation-driven backup recovery, ransomware recovery, and cybersecurity compliance testing SaaS platform. The intuitive portal helps MSPs and IT departments stay compliant through a suite of functions.
Cloud IBR’s platform ensures your BCDR plan includes:
Regular Data Backup Protocol: Cloud IBR automatically imports Veeam backups stored in Object Storage, like Backblaze B2 or Wasabi, guaranteeing that your data is consistently safe and prepared for retrieval.
Efficient Recovery Protocols: During a crisis, Cloud IBR diminishes recovery time objectives (RTOs) from weeks to hours by deploying bare metal cloud servers and promptly reinstating your Veeam backups. This rapid response aids in expediting your recovery processes by making sure that crucial data and systems are restored promptly, reducing any downtime.
On-Demand Compliance Testing: Conduct automated cybersecurity compliance tests daily, weekly or monthly with just one click. Cloud IBR generates automated recovery test reports. These are crucial for audits and can be shared with regulatory bodies or insurance providers to showcase your compliance efforts.
Immutable Backups and Ransomware Recovery: Protect your backups from unauthorized alteration or destruction with immutable Veeam backups. In the event of a ransomware attack, Cloud IBR facilitates a secure and efficient recovery, ensuring your business continuity is maintained.
The simplicity and automation of Cloud IBR means that you can focus on running your business, confident that your BCDR plan is robust, compliant and ready for any disruption.