Since March 1, 2017, most businesses in New York State were required to implement a cybersecurity policy thanks to a New York cybersecurity law entitled 23 NYCRR Part 500. On February 15, 2018, affected businesses must submit their first compliance certification to the New York Department of Financial Services (NYDFS).
What you Need to Know about the New York State Cybersecurity Law Compliance
Who it Affects
The New York cybersecurity law legally binds businesses who are affected by the state’s banking, insurance or financial laws.
There are exceptions for companies with fewer than 10 employees (including independent contractors), fewer than $5 million in gross annual revenue or fewer than $10 million in year-end total assets.
Why it’s Necessary
Over the last few years, we’ve seen dozens of businesses both small and large be targeted by cyberattacks, and there’s no sign it’s going to stop any time soon. Thousands of people have had their personal information stolen as a result.
Financial institutions, in particular, deal with highly-sensitive data, which can potentially ruin lives if it falls into the wrong hands. These businesses have a responsibility to their clients, and the new law seeks to enforce it.
What the Law Entails
Businesses that meet the above criteria must assess their cybersecurity risks and develop a strategy to minimize them, including:
- Designating of a “chief information security officer,” which can be either an in-house employee or third-party entity
- Establishing minimum standards for the security of information technology systems
- Developing disaster recovery plans
- Holding executives, management and employees accountable for security incidents
Organizations will also be responsible for providing periodic cybersecurity training, which will become much easier if the Main Street Cyber Security Act, which is currently pending in the House of Representatives, becomes law.
3 Tips for Ensuring Compliance
1. It’s more than just a Silly Document
A quick read of the legislation indicates that all you need to do is elect a chief information security officer and draft up a cybersecurity guide for your employees.
However, there are tons of stipulations, ranging from the installation of new software to incident response, which make it a painstaking process. The law mandates that your cybersecurity policy must be comprehensive, which means it needs to address not only current risks, but potential future risks as well.
2. Expertise is Necessary
With all due respect to the average employee of your business, they’re most likely not a cybersecurity expert. They probably don’t have the qualifications necessary to fulfill the role of chief information security officer.
It may be necessary to bring in third-party with a proven track record of success and expertise to help you develop and administer a cybersecurity plan.
3. Management must be Dedicated
Managers and executives must actively participate in the enforcement of the cybersecurity plan in order to create a culture that takes the threats posed by hackers seriously.
This is something we recommend to all of our clients, but for affected businesses, it’s the law. A chairperson or senior officer of the company must sign a certification of compliance that indicates they’ve reviewed the strategy, certifications and actions of others. They could potentially be held personally liable if the program is determined to be noncompliant.
Failure to comply with this New York cybersecurity law could result in monetary fines, as well as the dismissal of company employees. If you’re unsure if your business will be compliant before the February 15 deadline, get in touch with your IT provider today.