from Computer Experts Group
NYS Department of Financial Services gave you deadlines. We give you complete cybersecurity solutions.
Computer Experts Group's Compliance Navigator gets you compliant fast
and keeps you compliant with regulatory changes.
Compliance Navigator responds to new cyber threats with cutting edge
technologies and the latest information to arm your team.
We work with your existing IT infrastructure, your timeline and your bottom line.
NYS gave you the Department of Financial Services 23 NYCRR-500 Cybersecurity regulation. The regulation requires that every company regulated by DFS now has data security policies, disaster recovery plans, take steps to prevent ransomware, and have robust cybersecurity plans and procedures in place that help protect proprietary company data and private consumer information.
CXG’s Compliance Navigator provides the tools, assistance and guidance you need for full compliance, including training your employees to avoid phishing and scams, be on the lookout for hacking, and know how to respond to security threats like ransomware attempts. Our advisors and technicians work with you to create custom cyber security policies, procedures and infrastructure. Our easy-to-use portal keeps your documents, logs and other compliance-required documents at your fingertips should you have an issue requiring notification to the State or other agency occur.
Who needs the Computer Experts Compliance Navigator?
NY State DFS’s Cybersecurity Regulation part 23 NYCRR-500 applies to the following types of companies operating in NY. Some exemptions apply.
Insurance brokers, health insurers, title and life insurance companies, financial service centers, banks, credit unions, private bankers, check cashers, mortgage brokers and mortgage loan servicers, service contract providers, investment companies, and budget planners operating in NY State.
There is a “Limited Exemption” rule that eliminates certain requirements based on the following criteria. If your company fits ANY of the following criteria, then you qualify for the exemption from some of the requirements within 23 NYCRR 500.
- Fewer than 10 employees(Including independent contractors)
- Less than $10 Million in year-end total assets
- Less than $5 million in gross revenue
Compliance solutions that fit your needs and timeline
Your easy-to-manage portal helps you track compliance to-do’s, documents, issues, reporting and employee participation and weaknesses, and acknowledgement of company policies.
Compliance Navigator packages include:
Our comprehensive assessment helps you determine your current level of cybersecurity and risk, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining your cybersecurity. We evaluate your security environment for compliance with federal and state recommended standards with a thorough review of all devices on the network, your data in the cloud and locally stored, access controls, and physical environment vulnerabilities to the security of your data. In addition, we evaluate your ability to continue business operations should your business be impacted from threats like cyber attacks, or employee negligence/maliciousness, extended power outage or natural disasters. Recommended remediation actions are included in the report. Our risk assessment includes compliance requirements for 23 NYCRR-500 and can be expanded for organizations subject to specific data security regulation and compliance requirements such as SEC, HIPAA or PCI.
After your Risk Assessment is completed, we help create your documented cybersecurity policies which should be in place to guard critical data against attacks. Your policies will help ensure the security and confidentiality of personally identifiable information (PII) of customers, clients, employees or vendors as well as sensitive company data. We also help you define access controls, define sanctions for employees or third party vendors who don’t comply, create a Bring Your Own Device policy, and an Incident Response Plan. After finalizing the policies with you, we organize them in your compliance portal where we can then track and report on staff acknowledgement of policies.
Business Continuity/Disaster Recovery plan
Business continuity and disaster recovery planning requires advance preparation to ensure that critical business functions can continue. CXG’s Compliance Navigator helps you create documented plans and procedures to ensure the quick, effective execution of continuation or recovery strategies for critical business functions should the business be impacted by natural disaster or successful cyber attack.
Incident Response plan
The purpose of this plan is to develop procedures for the identification, response, and documentation of security incidents, the mitigation of effects of known security incidents, reporting of breaches and breach response such as notification of affected customers.
Access control plan
To assure that systems containing personally identifiable information and sensitive company data are accessed only by those persons or software programs that have been granted appropriate access rights. Includes guidelines and procedures such as password creation and management, user identification, and encryption.
Employee awareness training
With human-error being the most common reason for a cyber intrusion, employee security training is crucial to ensuring employees know how to spot a hacking attempt. We offer automated security awareness training as well as in-person annual company updates on the latest cyber threat landscape and updates to company policies. 23NYCRR-500.14b specifies that nonexempt companies provide regular cyber risk awareness training to all personnel.
Compliance deadline reminders
23NYCRR-500 regulation compliance has been divided into transitional periods to allow for adoption of all parts, as well as annual certifications. We will provide you with deadline reminders, checklists for compliance, and any updates to the regulation.
New employee CN onboarding
The Compliance Navigator service includes the addition of new employees to trainings, weak link reporting, and policy acknowledgment reporting.
Managed Antivirus, Antimalware, and Ransomware protection
- Managed Advanced Antivirus, Antimalware, web security upgrade, and Antiransomware package. Our team of experts will provide all the software, licensing, management and updates for the PCs and servers as part of the service.
- Advanced endpoint security protection centrally managed by CXG
- Detects and protects your files from viruses, worms, rootkits, Trojans, and other threats.
- Flexible deployment methods (push over VPN, URL, Group Policy, or exe)
- Reporting on endpoint compliance, threat detection, and custom reports available
- Advanced options available: Exchange and other email security; Encryption; Data Loss Prevention (DLP)
Managed Multifactor Authentication
Multifactor Authentication (MFA), such as the familiar 2-step verification option in Gmail, means authentication through verification of at least two of the following types of authentication factors: such as a password; a token or text message on a mobile phone; or a biometric characteristic. MFA helps you secure access to sensitive data, applications, and networks. Corporate MFA policies and implementation can be extremely complex given the increasing sophistication of hackers combined with lax policies, user’s lack of technical ability and issues such as employees using their own phones and laptops for work. CXG’s Managed Multifactor Authentication Solutions simplify company wide MFA management. MFA is required for non-exempt companies, 23 NYCRR-500.12.
We offer geographically-disparate versioned image-type backups that allow us to keep your company up and running even in the event of a large scale disaster, such as a hurricane, earthquake, etc. Further, should there be a successful ransomware incident, we can go "back in time" to a point before the encryption, removing the need to pay ransom to get your data back.
CX can provide both "data-in-transit" and "data-at-rest" solutions to help you comply with security needs.
Breach reporting guidance and support
Event reporting guidance and security event log included in plan. Forensics assistance provided on hourly basis.
Annual policy updates
In addition to above, Compliance Navigator Plus packages may include:
Required by section 500.05 of 23 NYCRR-500. For nonexempt companies, continuous monitoring technology is not precisely defined in part because the manner of implementation will vary depending on infrastructure and the company’s cybersecurity program and in-house IT capacity. CXG works with you to develop a continuous monitoring program appropriate for your company.
Having a cybersecurity expert actively try to defeat and penetrate your security from the outside, seeing what information they can get access to. Of course, everything needs to be covered by NDA. In the absence of continuous monitoring services, DFS requires annual penetration testing for nonexempt companies, per 23 NYCRR-500.05.
Scanning all systems inside, and your networking equipment from outside, for known problems and methods of ingress. In the absence of continuous monitoring services, DFS requires bi-annual vulnerability testing per 23 NYCRR-500.05.
Third party compliance reports
23 NYCRR-500.11 requires that by March 1, 2019 all companies subject to these requirements comply with the Third Party Service Providers Policy, which includes due diligence be undertaken to identify Company data accessible by Third Party Service Providers and assess risk, then implement requirements for that third party’s cybersecurity practices in order for them to do business with the Company. CXG’s Compliance Navigator portal can be used to track third party due diligence, set reminders and organize related documents.. Optional third party reviews available.
Questions we ask our clients:
“What is your daily cost of downtime of all computers and network?”
“What is the value of an hour of your company’s productivity?”
“What is the cost of noncompliance?”
We recognize your need to protect your bottom line, and the challenge of protecting your data, your customers, and your employees.
At the same time, cyber threats are dramatically increasing, and we recognize the challenge of keeping up with emerging threats!
Global ransomware damage costs exceeded $5 billion in 2017. That's up from $325 million in 2015 — a 15X increase in two years and expected to worsen. Ransomware attacks on healthcare organizations — the No. 1 cyber-attacked industry — will quadruple by 2020. Cybersecurity Ventures expects ransomware damage costs will rise to $11.5 billion in 2019 and that a business will fall victim to a ransomware attack every 14 seconds by that time.