The next deadline associated with New York’s first-in-the-nation set of cybersecurity compliance regulations that went into effect last March and impacts any business or organization that reports to the Department of Financial Services is quickly approaching.
Many checkpoints have already been passed since the regulations took effect, requiring businesses to implement varying levels of cybersecurity initiatives and protocols. By Feb. 15, these organizations will need to verify their efforts by submitting their first annual certification of compliance.
The swath of organizations that is affected is wide. The DFS oversees banks and trust companies; budget planners; charitable foundations; check cashers; credit unions; domestic representative offices; foreign agencies; foreign bank branches; foreign representative offices; health insurers, accident and related entities; holding companies; investment companies; licensed lenders; life insurance companies; money transmitters; mortgage bankers; mortgage brokers; mortgage loan originators; mortgage loan servicers; New York state regulated corporations; premium finance agencies; private bankers; property and casualty insurance companies; safe deposit companies; sales finance companies; savings banks and savings and loans associations; and service contract providers.
It’s worth noting that organizations not located in New York state but which still do business in the state do fall under New York’s DFS oversight.
Already these organizations should have established and be maintaining a cybersecurity program and cybersecurity policy; have designated a qualified individual, internal or outsourced, to serve as chief information security officer (CISO); be limiting user-access privileges as part of the cybersecurity program; be utilizing qualified cybersecurity personnel; have established a written incident-response plan; have notified the DFS of cybersecurity events as required, and have filed a notice of exemption, if applicable.
As Feb. 15 approaches, affected businesses need to act quickly to ensure that they are in compliance with these requirements. Fines will be fast and heavy for organizations that are found to be noncompliant.
Immediately following that deadline, CISOs are required to deliver an annual report to the board or governing body of the company by March 1. Companies subject to the full regulations must also begin conducting annual penetration testing, biannual vulnerability assessments and periodic risk assessments, as well as establish multifactor authentication, if needed, and provide regular cybersecurity awareness training for all personnel. Additional transitional time periods will end on Sept. 3 and March 1, 2019.
While New York state businesses and organizations that fall under the jurisdiction of the DFS must fulfill these requirements in a time-sensitive fashion, other organizations, regardless of their state of operation or Department of Financial Services, would do well to review their own cybersecurity situation and augment that as needed and suggested.
In fact, most of the cybersecurity requirements set forth in the new regulations, 23 NYCRR 500, are really just best practices for any organization and aren’t that terribly expensive or difficult to employ.
And while New York is the first state to require such cybersecurity regulations be met, it’s only a matter of time before other states and other industries follow suit.
Examining your cybersecurity position now can help you stay ahead of the competition, as well as offer your clients additional protection. And it can safeguard your business against the short-term and long-term financial implications that result from a cybersecurity breach.
A qualified IT or technology security company can help organizations put these strategies in place quickly and easily. Developing a work environment focused on cybersecurity, combined with the appropriate ongoing training, will potentially save a firm money and time associated with recovering from a data hack. Even simple steps like requiring longer, more complex and frequently changed passwords, setting up 10-minute screen savers, establishing individual logins, devising backup and disaster recovery plans, and facilitating ongoing training all add up to create a foundation for a much more secure operating environment.
As cybercriminals continue to become more sophisticated every day, the concerns that inspired the new New York state regulations are real and other states are considering similar measures. No doubt many businesses are already doing the right thing in terms of protecting their clients’ and their own critical information.
The new regulation is meant to ensure that nothing is overlooked in terms of cybersecurity and to ensure that systems are in place to continually assess and improve an organization’s cybersecurity protection.
Al Alper is CEO and founder of Absolute Logic and CyberGuard360 in Wilton, providing technical support, security services and technology consulting to businesses of up to 250 employees in New York and Connecticut, and an author and national speaker on IT and security issues. He can be reached at email@example.com or 855-255-1550.