What is 23 NYCRR 500 and is Your Organization Compliant? Three Key Updates & How They Impact Your Green Screen Host Access

Rocket Software

In 2017, the New York State Department of Financial Services (NYDFS) established 23 NYCRR 500, a cybersecurity regulation that set out specific requirements for financial services businesses in the state of New York, or that do business in New York, including banks, insurers, and other financial services companies to protect nonpublic information. The regulation has since become vital for any business that operates in the state, and failure to remain in compliance can bring with it costly penalties and fines.

Recently, the NYDFS released updates to 23 NYCRR 500, bringing several changes and new requirements businesses will need to follow to remain compliant. These updates include changes to cybersecurity governance, guidelines around encrypting nonpublic information (NPI), and what organizations need in place for continuity and incident management.

In the face of complex, yet vital, regulatory requirements, organizations that depend on terminal emulation and green screen access for mainframe systems need to ensure they are equipped with the right tools that can help keep existing IT infrastructure secure and compliant with shifting policies.

But what exactly is changing for businesses in New York State? Let’s look closer.

NYDFS Cybersecurity Regulation: What’s Changed?

Since its inception, the regulation has evolved to adapt to the shifting cybersecurity landscape. Within this latest update, there are three key areas impacted by the changes, including:

  • Cybersecurity Governance – Under the latest changes, Chief Information Security Officers (CISOs) now need to include plans for remediating material inadequacies in written reports to senior governing bodies. CISOs are also required to report to those senior governing bodies or senior officers on material cybersecurity issues, including significant cybersecurity events or changes to their cybersecurity program. And the senior governing bodies of those businesses and organizations will need to exercise oversight of cybersecurity risk management. 
  • Encryption of Nonpublic Information – This aspect means organizations must implement a written policy that requires encryption that meets industry standards. Organizations may no longer use effective alternative compensating controls for encryption of NPI in transit over external networks; however, entities may use effective compensating controls for encryption of NPI at rest provided that the compensating controls are reviewed and approved in writing by the CISO at least annually.
  • Incident Response and Business Continuity Management - Incident response plans remain a requirement under these changes, but they do need to be updated as specified and tested, at a minimum, annually. Business continuity and disaster response plans designed to address cybersecurity-related disruptions as specified must also be in place. Covered organizations are required to train all employees involved in the plans’ implementations, test plans with critical staff, revise plans if needed, test the ability to restore critical data and information systems from backups, and maintain and adequately protect backups necessary to restore material operations.

These changes also include new requirements for small businesses. Those organizations now need to implement policies inclusive of multi-factor authentication (MFA) for any remote access to their information systems, remote access to third-party applications where NPI is accessible (including cloud applications), and privileged accounts. It also now requires those organizations to provide cybersecurity awareness training, at least once per year, to all personnel covering social engineering, such as phishing, business email compromises, and techniques enhanced by AI, like deepfakes.

Rocket Software and Secure Green Screen Host Access

With the changes to security and remote access in New York State’s guidelines, organizations must prioritize their terminal emulation capabilities. This is a perfect time to look to third-party vendors for support. For example, Rocket Software offers uniquely positioned solutions to ensure businesses that are subject to this type of regulation have the ability to adapt and evolve along with those requirements.

For organizations that need to manage green screen access while also accounting for strict security considerations, Rocket Software’s secure green screen host access capabilities can modernize mainframe access without disruption. Rocket makes it easy to manage mainframe terminal emulation sessions and monitor encryption status, something that has become even more important in the face of the latest updates surrounding NPI.

Extending Access Management Across Mainframe Applications

Rocket can also help extend organizations’ identity and access management (IAM) solutions to cover mainframe host application access, enabling them to leverage important MFA tools and keep application access secure. As requirements in 23 NYCRR 500 shift, ensuring system access parameters are in line with both corporate policy and external regulations will be critical—particularly as emphasis on regular risk assessments grows. With mainframe security services, like compliance assessments, Rocket Software provides organizations with greater control over access to critical systems.

Learn more about how Rocket Software can help your organization adapt to the latest security regulations.