We’re almost through 2020 and what a year it has been. Between the coronavirus pandemic turning nearly every industry on its head and a divisive, tumultuous presidential election that has turned the economy into a roller coaster, 2020 can hardly be described as a “business-as-usual” year for anyone. So how do we get back to “business-as-usual” in 2021? It starts with getting your house in order and not rushing to meet “last minute” deadlines that have, in fact, been around for quite some time.
Yes, we’re talking about cybersecurity legal and regulatory requirements. That’s what we talk about here at Securibly.
By now, we’ve all heard about the NY DFS Cybersecurity Regulation (23 NYCRR 500 or Reg 500) that was passed in 2017. The most onerous cybersecurity regulation for small businesses of all time, it put all financial services companies licensed in New York on the hook for some pretty extensive cybersecurity expectations. The goal of this post is not to break down that regulation. If you want more information on it, click here.
Following closely behind the passage of Reg 500, the NAIC released the NAIC Insurance Data Security Model Law, intended for states to easily pass a similar law to New York’s and improve the overall cybersecurity posture of the insurance industry. At the time of writing, 11 states have adopted legislation based on the NAIC Model Law including Alabama, Connecticut, Delaware, Indiana, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina and Virginia. Several more are expected to do so in the coming months.
As to be expected, however, no two states have adopted the Model Law identically. Each state has made various carve outs for smaller insurance companies, set different effective dates for certain provisions of the law or all together omitted certain requirements. It’s quite a mess and following your requirements for each state is no easy task.
Here’s the truth though – every small insurance business has been required to have at least some form of a cybersecurity program for years under Gramm-Leach-Bliley. Cybersecurity requirements were not new when New York passed Reg 500; the bar was simply set higher. Additionally, aside from any legal or regulatory requirements you have around cybersecurity, we’re entering 2021. Cybersecurity has never been a bigger issue in our country. The expectation is that every company, regardless of size, is taking proactive and diligent steps to protect Nonpublic Information. If you aren’t, you could be looking at serious trouble in the event of a cybersecurity incident.
And don’t think that’s out of the realm of possibility. Small businesses are the victim of nearly 1/3 of all cyber attacks in the United States. Additionally, attacks in the financial sector increased 238% globally at the start of the COVID-19 pandemic. Interestingly, most attacks against small businesses are easily avoidable with employee training, necessary procedural documents in place and an understanding of where your greatest risks are.
Don’t delay on implementing a cybersecurity program. Not only is it required, but it’s necessary to keep your business running today. Starting with a risk assessment, a few procedural documents to guide the way and employee training will help you defend your data and defend your company in the event of an incident. If you don’t know where to start, don’t hesitate to reach out. For a fraction of the cost of any viable alternative, Securibly can help you stand up a defensible cybersecurity program in a matter of days.
Here’s to a healthy, safe and secure 2021. Cheers.