As cyber threats grow more sophisticated, businesses face mounting pressure to protect sensitive data and comply with evolving regulations. In examining New York’s response, we can identify some of the challenges in adopting rigorous information management cybersecurity policies as well as the importance of doing so.
Information Management Cyber Attacks on the Rise and Legislative Responses
Cyber-attacks have grown increasingly frequent and severe in recent years. The landscape of modern business includes rising numbers of employees working remotely and ever more reliance on e-commerce. These facts introduce more opportunities for cyber-attacks. In addition, perpetrators of these attacks have an increasing number of sophisticated tools at their disposal including AI-assisted technologies. These data breaches come with numerous consequences for businesses from reputational harm to financial losses. According to a study performed by IBM, data breaches cost companies an average of $4.9 million worldwide and nearly double that figure in the United States.
In response to these threats numerous jurisdictions across the world have introduced legislation dealing with data security. In the U.S. alone, 49 states have introduced over 800 bills dealing with cybersecurity with more than 200 of these bills going on to be adopted. In particular, New York’s amendments to its regulations regarding cyber security recently came into effect.
What do New York’s Information Management Cybersecurity Regulations Require?
New York’s 23 NYCRR Part 500 applies to entities regulated by the state’s Banking, Insurance and Financial Services laws. The latest amendments became effective on November 1 and introduced robust cybersecurity measures:
- Annual risk assessments and compliance certifications
- Written cybersecurity policies
- Access privilege controls
- Mandatory multifactor authentication for external network access
- Asset inventory programs to track all information system assets
- Secure disposal of nonpublic information when no longer necessary for business operations
Potential Challenges of Compliance
These requirements ensure robust security and accurate tracking of information throughout its lifecycle, safeguarding data and retaining it for the appropriate duration. To comply with these requirements, businesses must not only adopt rigorous security measures but also have knowledge of what information the business has in its systems and where it is being stored. It also requires identifying all applications and information systems that store, transfer or process information including those of third-party vendors.
Even businesses not subject to New York’s Part 500 can adopt proactive measures to achieve best information management cybersecurity practices and avoid risk. Implementing access controls such as strong passwords and multifactor authentication is critical to preventing unauthorized access. Beyond technical solutions, ensuring that employees receive adequate phishing and cybersecurity awareness training helps strengthen an organization’s first line of defense against threats. Finally, businesses must create an incident response plan to ensure business continuity and recovery if the worst-case scenario does happen.
Final Thoughts
With cyber risks increasing in number and ranging from attempts to phish individuals to advanced ransomware attacks, cybersecurity for records and information management has become a business necessity. However, these policies and procedures can be difficult to implement with existing information systems. Beyond adopting technical controls, businesses must have complete comprehension into what data it holds, where that data resides, and what applications process it. By adopting these measures businesses ensure compliance with regulations, reduced cyber risks, and greater consumer confidence in cybersecurity standards.
Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.