If you’re a Philadelphia area company, you need to be aware of strict new cybersecurity regulations that may affect your business. New York institutions that work in and around financial services have until March 1 until stringent new cybersecurity regulations go into effect.
The New York Department of Financial Service’s regulations are requiring companies to outline cybersecurity policies and procedures based on a customized risk assessment and to create contingency plans and programs to increase employee awareness of cybersecurity issues. The rules are the first of their kind in the U.S. Kevin Hyde, managing director Exton-based cybersecurity firm Layer 8 Security, explains that the regulations stand to impact any organization under the NYDFS umbrella, including companies in any location intertwined in their information architecture. According to experts, New York’s cybersecurity regulations are likely to have a ripple effect across the country.
“There are Philadelphia-area businesses this is definitely going to affect,” said Hyde. Layer 8 Security has clients in the region that interact with New York-based firms that have already begun requesting help in meeting NYDFS compliance standards to ensure they don’t lose business. This includes companies that provide software as a service, staffing firms, insurance companies, payroll services and any others with access to an impacted companies’ data.
Indeed, cybersecurity awareness is nothing new, and companies have already begun implementing cybersecurity standards and best practices without being required to do so. The NYDFS regulations aim to set the standard for acceptable cybersecurity regulations.
“Using a risk assessment, whether it’s done in-house or through a third-party, sets a foundation for a cybersecurity plan that allows companies to craft policies to their unique way of doing business,” said Hyde. Companies that are non-compliant could also face significant fines. “This is a pretty good framework,” noted Hyde. “It’s a good way to set your company up for success. Companies can no longer get away with doing nothing.”
For firms that don’t already have a company-wide focus on cybersecurity, the requirements — which include establishing an executive lead on cybersecurity, staff-wide training and possibly both new software and new hardware — can be costly. Companies may need to create an entirely new function with its own systems and hierarchy within their firm. Surely, the costs to become compliant will vary, and some companies may even have to pay up to six figures. Think, however, that the cost of a data breach can far exceed both tangible and intangible expenses, such as a company’s reputation. “Unless your business is so distinct that customers have no other choice but to stay with you, it’s likely a data breach will also breach customers’ trust, and ‘could be a catastrophe’ for an entity,” said Steve Fiergang, Layer 8 Security’s general counsel.
Many cybersecurity firms are either emerging or expanding to meet the coming demands. Businesses looking to contract with a third-party for cybersecurity need to find one that takes a holistic view of the company’s specific needs and data and focuses on prevention and recovery. A strong emphasis on employee training is also essential, as human error can account for up to 60 percent of data breaches. Planning ahead is smart as well. With the NYDFS regulations rolling out in the world’s financial hub, it’s highly likely the regulations will be quickly adopted and repeated elsewhere, like in Philadelphia, for instance.