New York State Cybersecurity Law Heavy on GRC and Proactive Cybersecurity

The first phase of the New York state cybersecurity regulations, which apply to insurance companies, banks, and other financial institutions operating within the state, went into effect at the beginning of March. While the insurance and finance industries are already subject to numerous cybersecurity-related standards and regulations, New York’s legislation represents the first time a state has mandated specific cybersecurity requirements.

Breaking Down the Requirements

If you want to read all 14 pages and 23 sections, you can download a PDF copy of the regulations here. The requirements, which are being phased in over a two-year period, mandate that organizations engage in proactive cybersecurity and GRC practices, such as:

• Conducting a comprehensive risk assessment and using the results to design and implement a cybersecurity program, a written cybersecurity policy, and a written incident response plan. Further, a separate cybersecurity policy must be established for third-party service providers.
• Designating a Chief Information Security Officer (CISO) and employing “qualified cybersecurity personnel,” either in-house or through a third-party provider, to perform information security-related functions.
• Providing all employees with ongoing cybersecurity awareness training, and providing cybersecurity employees with continuous training to keep them current in their field.
• Performing periodic penetration testing, vulnerability assessments, and risk assessments.
• Establishing appropriate system user access privileges, maintaining system audit trails, and utilizing technical controls such as multi-factor authentication and data encryption.
• Adhering to certain reporting, notification, and confidentiality requirements.

SMBs Fret Over Complying with New York State Cybersecurity Law

Most affected organizations have until August 28, 2017, to implement the first phase of the New York State cybersecurity regulations, including the cybersecurity policy, employee training program, incident response program, designating a CISO, and hiring qualified cybersecurity employees. Despite the fact that smaller firms – those with fewer than 10 employees and less than $10 million in assets and $5 million in gross revenues – are exempt from certain portions of the law, many small and medium-sized businesses are worried about their ability to comply.

Although the new law mirrors numerous existing cybersecurity frameworks and standards, such as ISO 27001, FFIEC, GLBA, NIST CSF, and OCC, as well as guidance from the FTC, many organizations have neglected information security for years. These firms will need to do some serious catching up – and they are not going to get away with simply updating a couple of lines in their existing policies or appointing the office manager the “CISO.” They will need to completely shift their mindset, overhaul their cybersecurity governance, policies, and plans, implement specific security controls and, in many cases, drastically increase their security budgets to pay for all of these changes.

Even for organizations that grasp the importance of proactive cybersecurity, compliance concerns are warranted. Not only are the law’s requirements quite involved, but they also require that firms hire or contract with qualified cybersecurity experts and a CISO. There is simply no getting around seeking out expert help. Meanwhile, there is a severe shortage of workers with cybersecurity skills. ESG Research reports that nearly half of all organizations cited “a problematic shortage of cybersecurity skills in 2016.” Even when organizations can locate qualified talent, they must pay top dollar to attract it. The New York state cybersecurity regulations are expected to shrink the talent pool even further and drive salaries even higher as multinational Wall Street finance companies with deep pockets snap up security analysts and engineers.

Automation and Outside Help Are Keys to Compliance

Most SMB’s, as well as more than a few large businesses, will find that hiring in-house cybersecurity talent is out of reach. The labor costs alone will break many smaller firms’ budgets – if they can even find qualified workers in the first place. Fortunately, organizations may fulfill the law’s personnel requirements, including the requirement for a CISO, by enlisting the services of a professional cybersecurity firm such as Continuum GRC. Outsourcing your organization’s cybersecurity and compliance ensures that you get the expert talent you need immediately and at a price that is far lower than hiring in-house employees. Further, your organization would not have to shoulder the burden of the continuous cybersecurity training that is required by the New York law.

Automation is also critical. Many organizations still use spreadsheet programs for their IT audits, compliance, and reporting. This time-consuming, inefficient, dysfunctional practice has been outdated for years – and the New York regulations are going to expose its weaknesses even more clearly. Now more than ever, organizations of all sizes must ditch manual IT audits, reporting, and GRC processes and use RegTech software such as Continuum GRC’s IT Audit Machine (ITAM IT audit software). The ITAM IT audit software can help you comply with the New York cybersecurity law by integrating your IT governance, policy management, risk management, compliance management, audit management, and incident management; creating, measuring, monitoring, and managing your IT governance programs; and providing clear visibility into key risk indicators, assessment results, and compliance initiatives, with integrated reporting of self-assessments, manual assessments, and automated controls.

New York Cybersecurity Law Expected to Be Model for Other Industries & Localities

Even if your business is not located in New York state or operates outside of the finance and insurance industries, it is likely that these new regulations will eventually impact your business. First, because of the international reach of the finance and insurance industries in New York, other states and even other countries are expected to use the law as a model as they seek to stem the tide of data breaches, identity theft, and other forms of cyber crime. Second, the New York State cybersecurity regulations heavily emphasize governance, risk, and compliance processes that all organizations should be engaging in anyway, as part of their proactive cybersecurity plan.

Your organization does have a proactive cybersecurity plan, doesn’t it?

The cybersecurity experts at Continuum GRC have deep knowledge of the cybersecurity field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cybersecurity programs.

Continuum GRC is proactive cybersecurity®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance with the New York Cyber security regulations and all other applicable laws, frameworks, and standards.

[bpscheduler_booking_form]