New York Implements New CPA Cybersecurity Requirements

New York is the first state in the nation to adopt a set of cybersecurity compliance requirements for any businesses that report to the Department of Financial Services (DFS). This seems like a step in the right direction seeing how hackers are very attracted to financial data. But it does beg the question: How will these requirements affect certified public accountants (CPAs)?

Below, CyberPolicy compiles all the information you need to know about the new regulations. However, it's important to keep in mind that if you do fall prey to a cyberattack, you could be on the hook for hefty financial losses to you or your clients. Thankfully, CPA cyber insurance is here to help.

Everything You Need to Know
As of March 1st, the new cybersecurity requirements (23 NYCRR 500) are in effect. The goal of this program is to "anticipate, address and thwart cybercriminals" by requiring "each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion," according to CPA Journal.

While CPA firms are not directly affected by the new requirements - since they are not regulated by the DFS "“ they are still tangentially related to organizations that are under DFS oversight. In other words, as a CPA you will need to understand and abide by the requirements in order to better serve your clients and employers. These will include banks, trust companies, mortgage brokers, charitable foundations, state-regulated corporations and more.

"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks," says New York Governor Andrew Cuomo. "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."

So, what exactly are the new requirements? Under 23 NYCRR 500, all entities regulated by the DFS must:

  • Perform an initial risk assessment
  • Establish a cybersecurity program based on their assessment, and implement the first round of compliance policies by August 28th
  • Provide notice to the DFS within 72 hours of a cybersecurity incident
  • Establish disposal policies for nonpublic information
  • Limit and review access privileges
  • Conduct a regular risk assessment
  • Implement policies and procedures to ensure third-party service providers are securing information accessible to them

Of course, there are limited exemptions for businesses that have fewer than 10 employees, earn less than $5 million in gross revenue from New York-based business operations or hold less than $10 million in year-end total assets. If, however, the organization in question surpasses these exemption requirements, they must also:

  • Employ cybersecurity personnel
  • Designate a Chief Information Security Officer (CISO)
  • Train employees and monitor authorized users
  • Establish an incident response plan
  • Employ multi-factor authentication
  • Conduct vulnerability assessments; such as penetration testing
  • Encrypt data at rest
  • Establish an audit trail

By February 15 every year, organizations must submit a statement to New York's superintendent of financial services that certifies compliance.

Admittedly, this is a lot to keep in mind at first glance. But all it really boils down to is assessment, planning and implementation of vital cybersecurity protocols. CPAs would do well to perform their own risk assessments, encrypt their data at rest and in transit and report any cybersecurity incidents to their cyber insurance provider.

Visit CyberPolicy for more information!

Insurance shopping simplified

Review personalized quotes, select coverages, and buy online - Everything insurance, all-in-one-place.
© 2010 - CoverHound LLC - All rights reserved.
PO Box 9070, Carlsbad, CA. 92018-9070
CyberPolicy®, "Plan. Prevent. Insure."™, and "CyberCheckup"™ are trademarks of CoverHound LLC
DBA: CoverHound Insurance Solutions - CA License No. 6005304