On March 1, 2017, the State of New York implemented 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies. It requires all individuals and entities operating under “a license, registration, charter, certificate, permit, accreditation or similar authorization under Banking Law, the Insurance Law or the Financial Services Law” to have and maintain a cybersecurity program.
Subsequently, the National Association of Insurance Commissioners followed New York’s lead by passing its own Model Law in October 2017. To date, eight states have adopted the Model Law. A number of other states also have similar cybersecurity laws under consideration.
Developing a cybersecurity program can be a daunting task, especially for smaller agencies that may not have a lot of experience with the complex and quickly changing area or who don’t have an in-house IT team. It doesn’t have to be overwhelming, though. It’s a question of taking it step-by-step.
The Components of a Cybersecurity Program
Each state’s regulation varies in its particulars, of course, but they have certain common key requirements:
- Risk Assessment
- Protection of Data Integrity
- Application Security
- Informed Oversight of the Information Security Program
- Employee Training and Monitoring
- Oversight of Third-Party Service Providers
- Incident Response and Notification Plan
Licensees must document their cybersecurity programs with written policies and then periodically certify compliance with state regulators.
In some states, exemptions are available for some individual or business entities. But for entities, in particular, these are often limited exemptions. Chances are you’ll still need to comply with some requirements.
In his 2017 webinar, Understanding New York’s Cyber Regulations, Joe Yetto of TAG Solutions pointed out that cybersecurity planning should always begin with a risk assessment. Completing such an assessment can be time-consuming, but consider it an investment in your business. Yes, you can get a fill-in-the-blanks cybersecurity policy off the Internet and say you’re good to go. However, it’s very likely that such an approach will either leave you vulnerable to certain risks or cause you to waste time and money preparing for highly unlikely threats. Think of it as being over- or under-insured.
For agencies with limited in-house IT resources, there are tools available to walk you through the process. For example, the National Institute of Standards and Technology (NIST) offers a free Cybersecurity Framework. Still, this is one step where you may seriously want to consider getting expert help. After all, this assessment forms the foundation of your entire cybersecurity program. You certainly want that foundation to be a firm one!
Need help with risk assessment?
Mitigating Risks …
Once you complete your initial risk assessment, you can begin to close the gaps in your cybersecurity. This is where many of the requirements listed above come into play. The goal of any cybersecurity program is to protect the integrity of the information stored in your IT systems.
When most of us think of threats to data integrity, it’s hacking, computer viruses, malware, and ransomware that come to mind. But data can also be lost or corrupted through unintentional human error (ever deleted a file you didn’t mean to?), during transfers of information from one device or system to another, and through hardware failures. It doesn’t take a malicious act to seriously mess up your data!
A good cybersecurity program takes into account the many and varied reasons that good data goes bad (so to speak) and puts measures in place to prevent problems, to quickly detect and respond to incidents that do occur, and to restore lost or corrupted data from an alternate source, such as a backup. For example, typical measures include controlling access to systems and information, data encryption, auditing system activity, and implementing firewalls and virus/malware detection software.
… Inside and Out
Another key area your program needs to address is outside threats to your IT system. We live in a “there’s an app for that” world. As a result, people are used to downloading apps for computers and mobile devices from the internet. Often, however, these applications introduce instabilities and/or vulnerabilities to your information systems. Application security involves following best practices when developing original applications and assessing the risks posed by apps created by others.
And it’s not just what your team does that you need to take into consideration. Modern cybersecurity regulations also expect you to monitor the activity of any third-parties with access to your systems and data. A breach of a third-party’s system requires the same response as a breach of yours.
In cybersecurity circles, it’s said that there are two kinds of people: those who’ve been breached and those who just don’t know it yet. Truthfully, it’s highly likely that your business will suffer a cybersecurity incident of some degree at some point. Consequently, another key component of your cybersecurity program is knowing when and how you need to notify regulators and clients of a breach.
Creating a Culture of Cyber Awareness
Knowing your risks and taking steps to mitigate them are important, but the best plan in the world won’t help if people don’t understand and follow it. Therefore it’s essential to create a culture of cyber awareness at your agency. Most regulations require employers to provide and document cybersecurity training for all employees at least annually, although spacing training out through the year often produces better results.
It’s not just employees that need to play an active role in cybersecurity, and it’s not a responsibility that can be delegated to your IT team and then ignored. Regulations normally require that a qualified individual with access to current cybersecurity intelligence oversee the program. In some states, this must be a C-suite position. Additionally, an entity’s senior officer or board of directors must assume direct responsibility for its cybersecurity policies and procedures. This typically takes the form of a certification of compliance by the officer or board.
Moreover, few aspects of cybersecurity are one-and-done propositions. Risk assessments must be repeated on a regular basis. Cybersecurity policies and procedures must adapt constantly to new threats and changing business conditions. Regulations evolve, and new regulations are added. And all of this must be documented, documented, documented! As I said at the beginning, it can be a daunting task. But compared to the devastating results of a significant breach, it’s worth doing and doing well.