After considering all the feedback that was submitted during the 45-day comment period, the state of New York’s new cybersecurity regulations were enacted today. While most regulations seem rote, this one has an interesting twist. “This is the first time I’ve seen a regulator explicitly allow firms to outsource the Chief Information Security Officer (CISO) role,” said Gary Roboff, Senior Advisor to the Shared Assessments Program. “It’s certainly an innovative solution to enable very small firms to have a qualified resource in that role, but I think it remains to be seen how effective this solution will be in practice.
The regulations go into effect today, March 1st, after which companies have 180 days (until Sept. 1) to comply. Similar to the original specifications, these regulations are aimed at banks, insurance companies, and other financial services institutions that are regulated by New York’s Department of Financial Services. While the focus is on the financial sector, the impact will be much broader. All companies providing services to a New York covered entity must demonstrate an acceptable information security program.
The regulations are risk-based and mandate some minimum standards, including: adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems. More details on the regulation can be found here.
We recommend organizations impacted by this regulation prepare for an audit-ready posture. Take advantage of tools that enable you to understand threats and vulnerabilities, assess your IT environment and manage incident response, to name a few. Create a central repository for identifying and tracking risk. Perform vendor assessments consistently and monitor constantly.
Also, keep in mind the mandate that requires organizations to ensure the security of information accessible or held by third parties. This is often a difficult aspect of risk and compliance to manage. Some organizations have tens of thousands of vendors accessing and sharing data. It can be overwhelming to keep track without an automated system. In fact, a recent Rsam poll discovered that 50% of organizations perform risk assessments on less than 15% of their total vendor universe.
With the 180 day countdown underway, we expect it to be a busy summer for risk and compliance professionals doing business in New York.