Impact of New York’s Cybersecurity Regulations on MSPs
As of March 1, 2017, New York State’s new cybersecurity regulations governing the financial services industry are now in effect. Dubbed “first-in-the-nation protections” by New York Governor Andrew Cuomo, these regulations require that institutions regulated by the NY Department of Financial Services (DFS) – including banks, insurance companies and other financial services providers – must establish and maintain a cybersecurity program that both protects the private data of consumers and supports the integrity of the industry in the state.
We – like most vendors – remain informed about new regulations such as this in order to better serve the managed service providers (MSPs) we work with. Ultimately, MSPs that are knowledgeable about legal trends in the industries they serve are able to offer superior and more tailored service to their end user clients. These MSPs can also ensure that their clients have all the information they need to make the right decisions around data security and regulatory compliance.
While the newly introduced regulations in question only affect financial services providers, and only those in New York State, this governmental action may very well influence other jurisdictions and localities to adopt similar regulations. At the same time, the regulations represent a best practices framework around data security that make a lot of sense for companies handling sensitive data, no matter their industry or location.
Here are the highlights of what MSPs serving organizations affected by these new regulations need to know:
1) A strong cybersecurity program is now required. Financial services organizations are now required to maintain a well funded, staffed and managed cybersecurity program, and to keep senior leadership informed it. The program must be led by a chief information security officer (or other such leader) who is responsible for safeguarding sensitive data.
2) Organizations must know their risks – and be ready to respond. Conducting security risk assessments and network penetration testing are now required practices for larger companies, and every organization must have security policies and incident response plans in place to preserve data. These plans must include protocols for alerting DFS within 72 hours in the event of a data breach.
3) Certain minimum data security standards are required. Among other requirements, organizations must have access controls in place to guard against sensitive data falling into the wrong hands, and to protect that data with encryption so that all is not lost if and when sensitive data is accessed inappropriately.
4) Organizations must train employees in data security. Safeguards such as access controls and encryption are often only as effective as the employees armed with them are careful. Proper employee training helps to ensure that credentials are safely stored, active sessions aren’t left unattended, and phishing emails don’t get clicked. With the right training, employees can effectively prevent many of the common causes of data breaches.
5) The clock is ticking. While the new regulations are set to phase in throughout the next two years, many organizations must prepare employee-training programs and incident response plans over the next few months. Organizations have a year to implement risk assessment and other required capabilities, and 18 months to have encryption, data retention, audit trail capabilities, and application security in place.
MSPs who have clients directly affected by these new rules should be sure to familiarize themselves with the regulations in detail. While small and medium-sized businesses do have some reduced duties under these regulations, MSPs should also be aware that SMBs are more likely to depend on them to understand and address what is required. MSPs should also know about strategies that can simplify the job of implementing the full suite of safeguards a client needs to meet every criteria of these complex regulations. For example, at Beachhead we’ve seen Breach Secure Now! as a single-package service that provides risk assessment, security policies, employee training and other tools to prevent data breaches.
The same practices these regulations endorse are wise and recommendable for any organization dealing with sensitive data, even those that aren’t legally compelled to enact these protections. In the end, the regulations now active in New York State codify valuable data security safeguards for financial services organizations, which should serve both their customers and their industry well. It will be in the best interest of these organizations and their MSPs not to procrastinate, but to implement the necessary solutions and organizational changes needed to comply with these regulations as early as they can.
About the author
Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company offering a PC and Mobile Device encryption service platform for MSPs.