With the passing of new cybersecurity laws late last year, New York became the first state in the U.S. to specifically protect consumers and financial institutions from cyber-attacks. The new regulations effect banks and insurance companies, both of which have exactly 180 days from January 1 to comply. That said, New York-based organizations falling into either category have a lot of work to do prior to June 30. Plus, since these new laws likely set a precedent for other states to follow suit, businesses outside of the state would be wise to start arranging their cyber operations to resemble the stipulations required in New York.
The laws mirror the Center for Internet Safety (CIS)’s 20 CIS Critical Security Controls: guidelines for best cybersecurity practices that if fully implemented can reduce cyber-attack risk by 94 percent (https://www.cisecurity.org/critical-controls.cfm). An important component of the law resembling CIS 20 concepts is that financial institutions will be required to perform a risk assessment prior to constructing and writing their cybersecurity programs. This requirement ensures that each organization structures their forthcoming programs in a manner that best fits each individual business. Individualizing cybersecurity programs in this way means that small businesses and large businesses will be held to different security standards as appropriate and is rightfully good news for all organizations.
Businesses will also need to designate and identify a CISO to manage the implementation and enforcement of any and all cybersecurity policies and procedures. Organizations that do not have the capacity to hire someone to fill this role need not worry as the regulations allow for businesses to partner with experienced service providers instead. This allowance means that financial institutions without an existing cybersecurity division do not need to build an entire department from scratch. Instead, businesses can turn to an affiliated organization or third-party service providers to completely manage their cybersecurity efforts.
In addition to the initial assessment, financial institutions will now be required to conduct routine vulnerability assessments and penetration testing while documenting any cyber risks and how those risks will be addressed. Third-party service providers can take the lead or assist with these initiatives as well as other efforts including continuous monitoring, multifactor authentication and network access control.
Dunbar Cybersecurity is ready to be your partner as your business prepares for the new regulations. Contact us today to get started and see how we can ensure your organization’s compliance and security.