2017 has already been a busy year on the cyber front. On the heels of many reported breaches and HIPAA fines imposed for even relatively small breaches, a major change in regulatory and enforcement rules took effect on March 1, 2017 under the New York State Department of Financial Services’ reworked Cyber Security Regulations.
Many of the organizations regulated by this state entity, such as large banks, already have robust cyber security measures in place. But for many other entities under this umbrella—such as charitable foundations, check cashers, money transmitters, mortgage brokers, mortgage loan originators and servicers, and premium finance agencies—these precautions have now moved from voluntary to mandatory.
Smaller firms (fewer than 10 employees or under $5M in revenues/$10M in assets) may not have to comply with all of the listed requirements and security controls, but will have to implement many of the fundamentals. While larger entities have the revenue and resources to implement these controls, smaller entities (SMEs) will face a challenge similar to smaller healthcare entities that are required to comply with HIPAA regulations.
Along with the financial costs to implement these controls, there is a resource challenge as well. Companies looking for experienced IT security professionals are finding themselves in a bidding war for talent. With the reinforcement–and essentially recertification—of HIPAA compliance this year, finding Chief Privacy Officers, Chief Security Officers or any additional IT security resources will be challenging to say the least.
So what is an SME to do? As with HIPAA, necessity is the mother of invention, and many of our security partners are shoring up their services for the SME space.
YourCISO.com, founded by Barry Kouns, works with SMEs to provide them with on-demand access to high-quality security and information risk management resources via an easy-to-use web portal. The company helps SMEs establish and maintain a comprehensive information security program—including security program policy documentation, incident response planning tools, awareness training materials and program benchmarking—to protect the confidentiality, integrity and availability of systems.
Corax (coraxcyber.com) provides a cyber risk analytics platform to show a covered entity its specific cyber risk profile including key threats, value at risk, probability of a breach or business interruption, and risks associated with third party service providers. Corax’s software also helps covered entities implement a risk management program to address these risks—a key requirement of the new regulations. The workflow in the software provides a turnkey system to run a risk management program and see percentage compliance with 23 NYCRR 500.
RPS will continue to keep an eye on this regulatory development to see if other states mirror the legislation, as well as monitor how the Cyber insurance market will respond to claims for companies not fully compliant with the new regulations.
Sources: New York State Department of Financial Services