New York State recently adopted a “first-in-the-nation” set of cybersecurity compliance requirements that impact any businesses or organizations that report to the Department of Financial Services (DFS). Effective March 1, 23 NYCRR 500 is meant to anticipate, address, and thwart cybercriminals by requiring “each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.”
CPA firms are not directly affected by 23 NYCRR 500—as they are not regulated by the DFS—but many of their clients and employers will be. Numerous companies fall under DFS jurisdiction including banks and trust companies; insurance companies and related entities; mortgage brokers, originators, and servicers; and charitable foundations, as well as other New York State–regulated corporations. In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.
Requirements under the New Regulation
Under 23 NYCRR 500, all entities regulated by the DFS must perform an initial risk assessment and, using the results of that assessment, they must establish a cyber-security program and implement cybersecurity policies, provide notice to the DFS of a cybersecurity event, establish policies for disposal of nonpublic information no longer needed, limit and periodically review access privileges, conduct periodic risk assessments, and implement policies and procedures to ensure third-party service providers are securing information accessible to them. In addition, entities not eligible for limited exemption must employ cybersecurity personnel, designate a Chief Information Security Officer (CISO), train employees and monitor authorized users, develop an incident response plan, establish multi-factor authentication, conduct penetration testing and vulnerability assessments, establish procedures and guidelines for in-house developed applications, encrypt data at rest and in transit, and establish an audit trail.
Limited Exemption Rules
Although the new regulation applies to all entities regulated by the DFS, limited exemption applies to covered entities with fewer than 10 employees (including independent contractors and affiliates) that are based or direct business in New York, less than $5 million in gross revenue from New York business operations, or less than $10 million in year-end total assets. In addition, a covered entity that does not directly or indirectly control any information systems is exempt from all but three requirements, specifically, those to perform periodic risk assessments, to ensure third-party security, and to establish a policy governing data retention and destruction. Full exemption applies to employees, agents, representatives, or designees of a covered entity, or a covered entity that must itself comply. If a company determines that it qualifies for the limited or full exemption, the organization must file a notice with the DFS within 30 days of such determination. In the event that the company ceases to qualify as of most recent fiscal year-end, it then has 180 days from fiscal year-end to comply.
Limited exemption does not mean total exemption from the new requirements. As stated above, the exemption only covers the requirements to employ cybersecurity personnel, designate a CISO, train and monitor authorized users, establish an incident response plan and multifactor authentication, encrypt data, and keep an audit trail; all other requirements remain in effect.
Regardless of whether a business qualifies for the limited exemption, all of the requirements are best practices, especially considering what is at stake should a business fall victim to a cybercrime. In fact, most of the requirements are neither terribly expensive nor difficult to employ. A qualified IT or technology security company can help put them in place quickly and easily.
Organizations were not expected to have immediately complied by the March 1 effective date. A transitional period of 180 days has, however, commenced, and all affected organizations are expected to achieve the first round of compliance by August 28. This includes establishing and maintaining a cybersecurity program, implementing and maintaining a cybersecurity policy, designating a CISO, limiting user access privileges, utilizing qualified cybersecurity personnel, establishing a written incident response plan, notifying the superintendent of cybersecurity events, and filing a notice of exemption with the superintendent. An annual certification of compliance must be submitted to the DFS beginning February 15, 2018.
Requirements to be met by the one-year March 1, 2018, deadline include the CISO delivering an annual report to the board or governing body of the agency, as well as the organization conducting annual penetration testing, biannual vulnerability assessments, and periodic risk assessments; establishing multifactor authentication (if needed); and providing regular cybersecurity awareness training for all personnel.
By 18 months (September 1, 2018), organizations must have established audit trails; procedures, guidelines, and standards for development of in-house developed applications; and policies and procedures for data retention and disposal, as well as begun monitoring of authorized users and encrypted data both in transit over external networks and at rest.
Within two years (March 1, 2019), organizations are expected to have implemented written policies and procedures to ensure security of nonpublic information that is accessible to or held by third-party service providers.
A business’s ability to meet these deadlines will depend on the size of the organization, as well as its level of internal IT security capabilities. For smaller companies with no or minimal current internal IT security capabilities, a turnkey solution may work best. Such organizations should seek out a suite of services that meets all of the requirements set forth in 23 NYCRR 500, as well as an IT provider that is up to speed on these new requirements. Small and midsize organizations with some internal or outsourced IT capability might also need to work with an IT provider to ensure compliance with every regulation (e.g., finding a provider that can serve as the business’s CISO). Larger companies with established internal IT departments might find they need assistance with only one or two of the regulations; in this case, an IT provider that can offer à la carte services makes the most sense.
Prevention Is Better than the Cure
Accounting professionals collect, compute, and share a great deal of sensitive financial information on a daily basis. It’s in everyone’s best interest to ensure that businesses are protecting this data to the best of their abilities. 23 NYCRR 500 is meant to ensure that nothing is overlooked in terms of cybersecurity and that systems are in place to continually assess and improve an organization’s cybersecurity protection. CPAs need to be aware of what their clients and employers need to do to comply with the new regulations and make sure they leave themselves enough time to do so.