Prepare Your Business for the Inevitable Cascade of Cybersecurity Legislation
It started with the enactment of the GDPR. Then New York’s Department of Financial Services put out 23 NYCRR 500. Most recently Colorado’s Division of Securities adopted final cybersecurity rules under the Colorado Securities Act. Even though both U.S. state rules apply primarily to the financial and securities sector, one can either write off these business-requirement rules as reactionary responses to the increasing acknowledgment of cyber risk or see the beginning of a slippery slope of government overreach. But prudent executives and board members should view the rules and regulations that have gone into effect in the last year as the bellwether to bigger things on the horizon.
Throughout the history of the United States change has, more often than not, happened incrementally and slowly as there was an adjustment to new circumstances and an attempt to adopt new policies and laws to reflect a new reality. As an example, consider the cascade of legislation across the country that has legalized medical marijuana in 29 states over the last 20 years.
Just as those early and current medical marijuana laws were enacted in the interest of patients, the recent cybersecurity rules in New York and Colorado were debated and enacted in the interest of protecting and prioritizing consumer information. And just as the medical marijuana debate has spilled over into more general laws decriminalizing marijuana use in some states, the likelihood is that state cybersecurity regulations governing the financial services sector will soon follow suit and broaden to other industries.
While New York’s rules are significantly more comprehensive and prescriptive, Colorado’s regulations share several resemblances. Comparing the two regulations, there are commonalities that may indicate key themes that businesses and their executives can expect as cybersecurity continues to increase as a state and national legislative priority:
- An interest in protecting consumer information
- An annual risk assessment requirement
- Use of secure email for PII (personally identifiable information) and authenticating client instructions
- The importance and requirement to have access controls to business’ information systems
- An insistence on multi-factor authentication
Business in all industries, especially those with significant customer data and sensitive consumer information, would be well served to take note of these requirements. It would be prudent to start to think through and implement (if you haven’t already) a cybersecurity strategy that takes these consumer protections into account. As we’ve seen with the recent Equifax breach, there is an increasing recognition that the private sector and/or market forces don’t work where there isn’t a true buyer and seller relationship. As security and privacy evangelist Bruce Schneier puts it, “Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.”
Regulations will inevitably undergo evolution as we struggle to reconcile the security and privacy we expect as consumers with the cost efficiency and efficacy of business. Of course, any regulations considered should be drafted to respect a business’s right to make informative, risk-based decisions about what initiatives to pursue, what security provisions to implement, and how to implement them.
At N2K, we recognize the challenges senior executives face in addressing today’s cybersecurity risks –especially as regulations grow in frequency and complexity. Our Cyber Resolve board and executive training programs provide engaging content that will help you learn to manage your organization’s cyber risk. If you are a senior business leader looking for a greater understanding of how cybersecurity issues impact your organization, please contact us or request a free quote.