Read the news and chances are you’ll see yet another report of a major cybersecurity breach. Big brands and small companies alike, none are immune. So it came as little surprise to see a recent article in Fortune reporting on new cybersecurity regulations for companies in the financial industry from the State of New York.
In essence the rules will hold financial firms accountable for preventing cyberattacks by requiring them to encrypt sensitive data and appoint CISOs. What’s more, they require senior executives to sign off on cyber-compliance. The rules go into effect in 2017. And while they apply only to financial firms licensed by the State of New York, given the sheer number of financial companies in the state, the new regulations will make a big impact.
Several things really struck me about this story. First, most current infosec regulations today relate to open standards managed by industry associations. Think of PCI or SOC2 or ISO. Those regulations aren’t mandated by a government agency. Even NIST or FedRAMP relate to contracts companies have with the government—so they are really more about contract compliance rather than government-mandated compliance. I would expect that additional state and federal government entities will follow New York’s lead and we’ll see a big jump in the number of national and international regulations related to cybersecurity.
For those of us in the compliance industry, more and more complexity is the new normal. How do we—both as an industry and as infosecurity practitioners at organizations—even begin to manage this? And how do companies remain healthy and innovative under the weight of all this compliance complexity?
If you manage information security for your company, what do these new regulations mean for you?
Regulatory requirements are no longer just the domain of the compliance and risk team. These are C-level and Board-level issues. Companies will pay a steep cost for non-compliance. Your day-to-day job may be focused on protecting your company’s infrastructure in order to prevent a breach. But with these new regulations on the horizon, you need to start speaking the language of the CEO and Board on these issues. New York’s new cyber regulations are a catalyst for thinking more strategically about information security and compliance.
More complexity is coming and you need to be prepared. Are you managing your compliance program with a mess of spreadsheets? The more regulations you need to comply with, the more untenable your spreadsheet management becomes. Now’s the time to start investigating solutions for automating compliance and audit-related tasks and workflows.
Urgency is the watchword of the day. If the New York cyber regulations proceed unaltered, they will go into effect January 2017, and companies will have a mere six months to comply. That’s not much time. And it means infosec managers need to communicate to upper management now—right away THIS year—to factor these new requirements into the 2017 budget. The clock is ticking to get your house in order before the end of Q2 2017, or risk not just a cyber breach (which is bad enough), but also falling out of compliance with the State of New York.
Here at ZenGRC, we’ll be watching these new regulations closely and we’re here to answer any questions you may have. Don’t hesitate to contact us at engage@zengrc.com.