The New NY Cyber Security Rules: A Sign Of What's to Come?

Security Special Supplement

The New NY Cyber Security Rules: A Sign Of What's to Come?

By Special Guest
Ebba Blitz, CEO, Alertsec
  |  December 15, 2017

The toughest cyber security regulations in the nation are now in place. New York has imposed new policies which aim to protect both companies and consumers.

Businesses throughout the country need to pay attention to these landmark regulations because, as we know, as goes New York goes the rest of the nation.

Businesses are required to:

  • run a cybersecurity program aimed at protecting consumers,
  • name a designated chief information security officer,
  • utilize multifactor authentication,
  • implement and maintain an approved written policy, and
  • report hacking attempts to the state within 72 hours .

The New York regulations impact financial, health, and insurance organizations. So these organizations should become familiar with New York State Department of Financial Services 23NYCRR 500 to learn about the new requirements. 

Small and medium businesses within these industries may find compliance especially challenging because they often lack the resources larger enterprises have to implement, monitor, and audit their security systems.

However, while these regulations may seem burdensome, it is important to remember that the intent is to protect personal and private data. Compliance does not need to be complicated or expensive.

A reliable cyber security program makes good business sense because a data breach can be catastrophic to an organization’s bottom line. These new government regulations only make cyber security more essential. The price of implementing a sound IT security chain is insignificant compared to the cost of a fine, both to your bottom line and your reputation. On a national level, we’re seeing the Office for Civil Rights impose increasingly steep penalties, including multi-million dollar fines.

The New York legislation is also the first to address an often-overlooked part of the IT security chain: third-party contractors. Anyone who shares data with anyone else needs to extend their security policy to that party. You can’t have a weak link in the IT security chain.

Companies, especially SMBs, should conduct a security assessment. It is necessary to ensure every device is encrypted – phones, tablets, and laptops. The reality is that the best way to really control your company’s IT security is to have a strategy in place that includes the management of all devices in house and avoiding the risks introduced by bring your own device. Remember, there are many IT security layers, and that’s what makes it hard. It’s not a one-stop shop. You have to create your own strong IT chain.

It is also important that SMBs understand where sensitive data lies and how it is protected in the process of doing business. Encryption in the cloud protects you from the wrong people getting your data in the cloud, but full endpoint encryption is necessary to have a complete security chain. If you don’t have endpoint encryption, a perpetrator can access your log-in credentials to everything that you store in the cloud. It’s like locking your door but leaving the keys on the front step. The strategy must also account for the security of data in transit, including providing for the use of firewalls and virtual private networks.

Multifactor authentication is required. Multifactor authentication should include something you have and something you know to verify the user.

As large institutional hacks continue making headlines, Americans are becoming increasingly concerned about the safety of their personal and financial information. The New York State legislature has responded by enacting the toughest cyber security regulations seen to date. Given the importance of this issue to the public, I expect that many other states will follow suit. Soon, implementing a reliable cyber security program will not just make good business sense, it will be required throughout the country. 

Ebba Blitz is CEO of Alertsec (

Edited by Erik Linask
blog comments powered by Disqus