If you are a “Covered Entity” regulated by the New York State Department of Financial Services you must be compliant with the newly issued cybersecurity legislation that went into effect on March 1, 2017 (23 NYCRR Part 500), and you are also responsible for compliance by your third-party providers.
Third Party Cybersecurity Compliance Requirements in New York
Relative to how you employ and manage third party providers, here are a few highlights of the legislation that could have an impact on your policies, processes and cyber security practices:
- For the third party providers you work with, you will need to define the minimum cybersecurity practices required for them to do business with you.
- For the third party providers you work with, you will need to inform them of the sections of the regulation (e.g. encryption, multi-factor authentication) they must implement.
- You must do an assessment of each third-party provider’s cybersecurity program, policies and practices based on their access to your information systems and/or nonpublic information.
- You will be responsible for defining and communicating your acceptable minimum cybersecurity practices with each third-party provider you do business with.
- The cybersecurity policies and practices you have in place will likely need to be mirrored by each third-party provider you do business with.
- From time to time, you will need to conduct a due diligence assessment of your third-party providers’ cyber security policies and practices to see if they are compliance with your policies and practices, and the new regulation.
- Your third-party providers will be required to implement Multi-Factor Authentication or Risk-Based Authentication to protect against unauthorized access to your Nonpublic Information or Information Systems.
- With certain exceptions, your third-party providers will be required to implement encryption to protect Nonpublic Information in transit and at rest.
- Your third-party providers will be required to provide notice of any cybersecurity event directly impacting your Information Systems or your Nonpublic Information.
Do Covered Entities Need to Require a Comprehensive a Cybersecurity Audit from Their Third-Party Providers?
Having all your third-party providers conduct an audit of their cyber security program may be VERY difficult and problematic for both you and them.
One alternative for compliance purposes for compliance purposes (and our recommendation) is that that you have a specific examination performed by an independent CPA firm to attest the cybersecurity practices they have in place.
Comply with New York's 2017 Cybersecurity Regulations: Start Here.
The process of getting into compliance with the New York State Cybersecurity Regulations and their “pass through” to your third-party providers should start with a comprehensive assessment of your current cybersecurity program and controls against the new regulations and other leading frameworks to validate its design and operation.
The experts in Freed Maxick’ s Risk and Technology Advisory and Assurance Practice can help you to this end, as well as assisting in development and implementation of a remediation plan.
Our thorough assessment includes investigations of your policies, processes and practices governing your relationship with all relevant third party providers, as well as an assessment of their programs to provide assurances of their compliance with your requirements.
You can download our full New York Cybersecurity Regulation whitepaper here. To schedule an initial consultation, click here or call Dave Hansen, Principal at 585.360.1481View full article
Online business is the new "Main Street" of America. According to the U.S. Chamber of Commerce, 74% of small businesses have a website online; many of these solely conduct business through their website. With an uptick of devices that increases social media presence (i.e. the smart phone, tablets, apps); businesses are able to conduct more of their daily activities online than ever before. This drive to do business or maintain a website online does not just apply to corporations, but to entrepreneurs looking to start or grow their business online.
While companies large and small are increasing their online business, larger companies have the capability to improve their defenses and resilience against cyber threats, leaving the small companies ripe for the picking for cyber criminals. Theft of digital information has become the most commonly reported fraud. Whether a business is utilizing, or thinking of utilizing cloud computing or just using email and maintaining a website, cyber-security should be part of the plan. It is a business’s responsibility for creating a culture of security that will enhance business and consumer confidence.
In order for businesses to stay a step ahead of cyber criminals these steps should be taken to increase security:
Train your employees in security principles- establishing basic practices and policies for online use, such as creating strong passwords, appropriate internet use, and rules on how to handle and protect customer information and vital data.
Protect computers, networks from cyber attacks- “cleaning” computers is one of the most vital things you can do to help prevent cyber attacks. For example having security software, web browser, and operating systems are the best defense against malware, viruses or other online threats.
Provide a firewall for your computer- a firewall is a set of related programs that prevents outsiders from accessing data on private network information. This includes ensuring that if an employee is working from home that their home system has firewall protection. One of the most common mistakes is downloading firewall programs but not “enabling” them; essentially “turning them on”.
Secure Wi-Fi networks- make sure that any Wi-Fi networks you have for your business is secure, encrypted and hidden. You can hide information by setting up your wireless access point or router so that it doesn’t broadcast a network name, and password protect access to the router.
Limit employee access to data- do not provide any one employee to all data systems. Employees should only be given access to the specific data systems that they need to perform their jobs, and should not be able to install any software without permission.
PCI Compliance is also a big part of being secure online. PCI DSS is the Security Standards Council that was put into place to ensure that businesses storing, transmitting, and processing payment card data, are not putting their customers or their business at risk of data theft or fraud. The PCI DSS has four levels of compliance, with number one set as the highest level. The level that your business requires depends on:
The volume of transactions you process, and
How you process them.
Cyber-security is a team sport. Taking actions that will better protect both vital data and your business operations will have positive consequences for the security of all businesses, communities and the country. Computers and networks are interconnected through cyberspace; that means that both public and private sectors share responsibility.
Freed Maxick CPAs
Freed Maxick’s tax team and enterprise risk management team want to make sure that your online business is secure. Our firm is registered with the Payment Card Industry Security Standards Council, LLP (PCI SSC) and has Qualified Security Assessor’s certified by the Council to validate an entity’s adherence to the PCI DSS. Contact us and connect with our experts.