The recent cyber attack on Equifax highlights the significant need for accountants to understand one of the most critical issues facing firms and their clients today – cybersecurity.
New York State recently adopted a “first-in-the-nation” set of cybersecurity compliance requirements that impact any businesses or organizations that report to the Department of Financial Services (DFS). Effective March 1, 23 NYCRR 500 is meant to anticipate, address, and thwart cybercriminals by requiring “each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.”
CPA firms are not directly affected by 23 NYCRR 500—as they are not regulated by the DFS—but many of their clients and employers will be. Numerous companies fall under DFS jurisdiction including banks and trust companies; insurance companies and related entities; mortgage brokers, originators, and servicers; and charitable foundations, as well as other New York State–regulated corporations. In order to counsel these businesses, CPAs must understand the new regulations and their impact. In addition, it makes sense for CPA firms to be proactive in adopting the new regulations, as the profession itself is likely to be included in future regulatory efforts.
1. Requirements under the New Regulation
Under 23 NYCRR 500, all entities regulated by the DFS must perform an initial risk assessment and, using the results of that assessment, they must establish a cyber-security program and implement cybersecurity policies, provide notice to the DFS of a cybersecurity event, establish policies for disposal of nonpublic information no longer needed, limit and periodically review access privileges, conduct periodic risk assessments, and implement policies and procedures to ensure third-party service providers are securing information accessible to them. In addition, entities not eligible for limited exemption must employ cybersecurity personnel, designate a Chief Information Security Officer (CISO), train employees and monitor authorized users, develop an incident response plan, establish multi-factor authentication, conduct penetration testing and vulnerability assessments, establish procedures and guidelines for in-house developed applications, encrypt data at rest and in transit, and establish an audit trail.
Protect yourself and your clients from cyber fraud with one of these informative sessions from FAE this CPE season:
Cybersecurity Trends & Analysis Evening Technical Session
On Demand / Self-Study
Cyberbreach Investigations – Forensic Accounting and Litigation Services Conference
On Demand / Self-Study
Cybersecurity – Business and Industry Conference
3. Compliance Deadlines
Organizations were not expected to have immediately complied by the March 1 effective date. A transitional period of 180 days has, however, commenced, and all affected organizations are expected to achieve the first round of compliance by August 28. This includes establishing and maintaining a cybersecurity program, implementing and maintaining a cybersecurity policy, designating a CISO, limiting user access privileges, utilizing qualified cybersecurity personnel, establishing a written incident response plan, notifying the superintendent of cybersecurity events, and filing a notice of exemption with the superintendent. An annual certification of compliance must be submitted to the DFS beginning February 15, 2018.
Requirements to be met by the one-year March 1, 2018, deadline include the CISO delivering an annual report to the board or governing body of the agency, as well as the organization conducting annual penetration testing, biannual vulnerability assessments, and periodic risk assessments; establishing multifactor authentication (if needed); and providing regular cybersecurity awareness training for all personnel.
By 18 months (September 1, 2018), organizations must have established audit trails; procedures, guidelines, and standards for development of in-house developed applications; and policies and procedures for data retention and disposal, as well as begun monitoring of authorized users and encrypted data both in transit over external networks and at rest.
Within two years (March 1, 2019), organizations are expected to have implemented written policies and procedures to ensure security of nonpublic information that is accessible to or held by third-party service providers.
A business’s ability to meet these deadlines will depend on the size of the organization, as well as its level of internal IT security capabilities. For smaller companies with no or minimal current internal IT security capabilities, a turnkey solution may work best. Such organizations should seek out a suite of services that meets all of the requirements set forth in 23 NYCRR 500, as well as an IT provider that is up to speed on these new requirements. Small and midsize organizations with some internal or outsourced IT capability might also need to work with an IT provider to ensure compliance with every regulation (e.g., finding a provider that can serve as the business’s CISO). Larger companies with established internal IT departments might find they need assistance with only one or two of the regulations; in this case, an IT provider that can offer à la carte services makes the most sense.
4. Prevention Is Better than the Cure
Accounting professionals collect, compute, and share a great deal of sensitive financial information on a daily basis. It’s in everyone’s best interest to ensure that businesses are protecting this data to the best of their abilities. 23 NYCRR 500 is meant to ensure that nothing is overlooked in terms of cybersecurity and that systems are in place to continually assess and improve an organization’s cybersecurity protection. CPAs need to be aware of what their clients and employers need to do to comply with the new regulations and make sure they leave themselves enough time to do so.