With National Cybersecurity Awareness Month beginning in October, employers should assess the safeguards they have in place in order to protect confidential information that is sent and stored electronically. Providing a written cybersecurity policy is a quick and simple way to ensure that all employees, vendors, and contractors understand the various policies that a company or organization may have.
Advancements in technology have made transferring documents and sharing information much easier and faster. Information that previously had to be sent by messenger or explained in person can now be delivered by the push of a button. However, sending or storing information electronically is not nearly as safe as we’d like to believe. Almost every day, we hear of hackers who devote their time to penetrating “secure” networks, enabling access to an array of confidential consumer and business information.
An increasing number of employers have been looking to develop detailed cybersecurity policies that reflect necessary protections for servers, files, e-mails, wireless Internet, remote access programs, and a variety of other systems. Prudent employers recognize that, without a specific policy in place, they may find themselves at serious risk. For more information on risk, and what mistakes most employers are making, see our article on Protecting Property, Employees, and Clients.
Having a written cybersecurity policy has been determined to be so important that it will no longer be optional for certain companies. State regulators are beginning to mandate both cybersecurity programs and policies for certain employers in order to ensure the protection of confidential information and industry security.
New York State Takes Action
On September 28, 2016, the New York Department of Financial Services published proposed cybersecurity regulations for financial services institutions, including banks and insurance companies. Through this announcement, New York has become the first state to propose regulations to protect consumers and financial institutions from the “ever-growing threat of cyber-attacks.”
Following a notice and public comment period, the Department will issue its final rule.
Proposed Regulations
Under the Regulations, financial services institutions will be required to establish a cybersecurity program and adopt written policies. Additionally, they will need to appoint a Chief Information Security Officer to enforce the policies and answer any questions concerning information protection.
Financial institutions will have to meet specific regulatory standards based on the services they provide. The key elements that will be required in an employer’s cybersecurity policy are as follows:
- Vulnerability Assessments;
- Audit Trails;
- Access Restrictions;
- Application Security;
- Risk Assessments;
- Cybersecurity Personnel and Intelligence;
- Third Party Information Security;
- Multi-Factor Authentication;
- Data Retention Limitations;
- Training and Monitoring;
- Encryption of Nonpublic Information;
- Incident Response Plans; and
- Notices.
New York has taken a prominent step in recognizing the importance of having and implementing cybersecurity policies in order to prevent confidential information from falling into unauthorized hands. The Regulations will provide much needed protection to consumers and the financial services industry of New York.