Cybersecurity is a growing concern for any business owner no matter the sector you operate in. However, when it comes to the New York State Department of Financial Services (NYDFS), specific guidelines and regulations for entities need to be followed to be compliant. Without these mandatory cybersecurity requirements, entities under the Department of Financial Services (DFS) run the risk of having their private information and their customers’ information stolen. But with the risks growing daily comes the need and urgency to adopt a cybersecurity program quickly.
So, what kind of regulations are we talking about? Everything from appointing a qualified Chief Information Security Officer (CISO) to investing in new technology and everything in between. In order to ensure that DFS entities are implementing the proper security measures, it is required that a CISO be appointed to create and oversee all processes and procedures that go into securing and maintaining your network. This person would be responsible for bringing on and vetting cybersecurity personnel and professionals to help execute specific tasks that will be necessary for a secure environment.
If you’re an organization that cannot necessarily afford to hire a CISO and team, Twinstate Technologies can act as your Managed Security Services Provider (MSSP) to fulfill that need thus, enabling you to comply with New York State cybersecurity regulations.
For those who are in this industry, Twinstate Technologies is hosting a free webinar on June 20th from 12:30pm - 1:30pm on 'How to Combat Ransomware'. This would be a great opportunity for anyone with questions to learn how their sector could get started on becoming compliant. (Watch the Recording Here.)
Once the team is assembled, it’s time for them to get to work. Long gone are the days where setting up basic anti-virus on each computer is sufficient. Your CISO will organize an overall plan for your network and help your defense be as effective as possible. Next to come, your team will dive deep into implementing that plan. Requirements include annual Penetration Testing and bi-annual Vulnerability Assessments to scan your system for any potential “holes” that might offer a gateway for malicious activity. Regular audits will need to be conducted; these audits will need to be designed in such a way to detect and respond to cybersecurity events that have a likelihood of causing harm to your system. Risk Assessments are also a critical detail as conducting this assessment alongside the others will help your CISO determine other security factors like employee permissions.
It isn’t just the external risks that will be required to guard from, but internal as well. Employee access will become stricter, only allowing access to those employees who need specific information to conduct their daily activity rather than an entire organization. Putting a multi-factor authentication process in place will further strengthen your employee’s security. For instance, employee passwords coupled with fingerprint scans to log into a computer. Also designed by your CISO will be a thorough employee cyber training course so that employees understand what is/is not an acceptable use of their workstations. They will also need to be trained on how to recognize malicious behavior should their workstation become infected. Other requirements include having a comprehensive Incident Response Plan, the appropriate contact information and an understanding of how to deal with a cyber-attack should one occur.
Cybersecurity Regulations in New York: The SHIELD Act
The latest cyber mandate from NY state, the NY SHIELD Act, enacted in March 2020, is having an impact on every business in New York state and many more across the country. The Stop Hacks and Improve Electronic Data Security law, as SHIELD is formally known, was enacted to protect consumer privacy and places the burden of protection any organization that collects, stores, or posses the private information of a NY resident.
That's right, you may not even employ a single resident of NY state but you would still be required to comply with SHIELD if a resident of NY state visits your website and fills out a form, giving you their name and phone number, for example.
Though these mandates only skim the surface of what your entity will be required to establish, there are resources that you and your CISO can refer to if you have questions. As the cybersecurity landscape continues to change rapidly, so does the need for organizations to take the proper steps to protect their networks for themselves and for their customers and partnering with a capable and trusted resource can help you achieve that.