New York Cybersecurity Regulation Means Important Work for HR

New York Cybersecurity Regulation Means Important Work for HR

By Dinah Brin October 30, 2017

To protect consumer data at financial institutions, New York enacted a regulation, in effect since March, requiring banks, insurers and certain other private-sector organizations to institute a series of cybersecurity controls by 2018. Through employee training and coordination with in-house or outside consultants, HR leaders will play an important role in assuring compliance.

Among other measures, the regulation requires each covered entity to establish a cybersecurity program to protect company data systems and private consumer information from hacking. Affected companies, also required to implement written cybersecurity policies, must be prepared to detect, respond to and report system breaches, and will have to conduct penetration testing and risk assessments.

They also must appoint a chief information security officer, limit workers' access to sensitive private data, use qualified cybersecurity employees or consultants, and ensure the security of systems and data that are accessible to third-party providers. Compliance is being phased in over two years.

​"Cybersecurity prevention, detection and response is now a team sport where information technology professionals collaborate with legal, PR [public relations], human resources, procurement and … other areas across the company to formulate a unified response," said James Koenig, partner and co-chair of Fenwick & West LLP's privacy and cybersecurity practice in Philadelphia.

[SHRM members-only toolkit: IT Staffing]

While previously enacted federal and state regulations address broad privacy and security matters, including cybersecurity, the New York State Department of Financial Services' new requirements are the first to focus on and dive deeply into cyber-specific risks, such as phishing, ransomware, and command-and-control attacks, Koenig said. 

What HR Needs to Know

​Of note for HR professionals, he said, the New York regulation goes further than any state or federal law on cybersecurity-specific training. Covered organizations must provide regular cybersecurity awareness training for all personnel, which should be updated to reflect potential problems identified in risk assessments. Companies also must use qualified cybersecurity personnel, either from within the organization or from third-party providers, to oversee their cybersecurity programs, Koenig noted.

The New York State Department of Financial Services said in the regulation that it "has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors."

The rules are designed to help protect consumer data and institutions' IT systems by setting minimum standards while not being overly prescriptive, the department said. Covered entities include those regulated under New York banking, insurance and financial services laws, although certain small businesses are exempt.

Cybersecurity: It’s Every Employee’s Job

​New York's regulation is more stringent than the federal Gramm-Leach-Bliley Act, which requires financial institutions to safeguard sensitive consumer data, according to Koenig. Nonetheless, many large companies have had most of the required controls in place for years or have been working toward instituting them, he said.

"If you're in the industry, you should have been doing these things all along. Cybersecurity isn't new," Koenig said. More companies across the country are holding tabletop cyber-simulation exercises to train workers and to practice responses to breaches so employees know what to do; and when to tell general counsel, account holders, shareholders and state regulators, he said.

"It's not just IT; you have everybody sitting around the table," Koenig said. While financial services companies have conducted these simulations to varying degrees for years, more institutions and companies in other industries are now holding in-depth discussions involving people across the enterprise, he said.

While larger financial companies are prepared for most of the requirements, newer financial tech firms, even if not directly subject to the law, are increasingly being asked to have such controls in place when interacting with major banks, according to Koenig. "The larger companies don't want to put their information at risk at the hands of third parties," he noted.

Compliance Deadline Ahead

​Companies must submit their first annual compliance certification to the state by Feb. 15, 2018.

Koenig expects similar laws to be implemented elsewhere. "The New York law is likely to influence lawmakers and regulators in other states and in other industries to increase the focus on the … investment and the required controls around cybersecurity," he said.

Trave Harmon, CEO of managed security and services provider Triton Technologies in Worcester, Mass., noted that Massachusetts has had a very stringent law in place since 2009 to protect state residents' personal information.  Harmon said it's good to see the rest of the country catching up to his state..

The Massachusetts law, which covers both paper and electronic records, requires businesses that possess sensitive data on the state's residents to take numerous steps to protect the information, including implementing various computer and wireless security measures.

"If you touch any of our citizens, any of our citizens' data, you have to protect [them]. You can be in China, you can be in France, you can be in Mexico … if you have one Massachusetts citizen as a client, you fall under Massachusetts regulations," Harmon said. A bookkeeper working in a basement must take the same precautions as a Fortune 500 company under the Massachusetts law, he added.

Harmon said he tells clients not to fear compliance, and he emphasizes the importance of training so employees know what to do if even an unintentional violation arises.

HR and IT Must Partner on Security

​Minneapolis employment attorney Kate Bischoff, who runs tHRive Law & Consulting and focuses on employee rather than consumer information, said she sees cybersecurity as a collaboration between IT and HR.

"I'm a big believer in employee training" that raises workers' awareness of cybersecurity, she said. "We need to make sure that they have bells in the back of their brains" so employees will sound the alarm when they see or hear something.

Businesses should reward employees who report a problem, including when they report their own mistakes, Bischoff advised, explaining that if an employee loses a phone or clicks on a malicious link in an e-mail, he or she should feel comfortable reporting it without fear of disciplinary repercussions.

"I advise clients to buy [the employee] lunch for telling us about it," she said. "Knowing what to do is really important, and training can help to do that."


Dinah Wisenberg Brin is a Philadelphia-based freelance writer focused on workplace issues, entrepreneurship, business, health care, personal finance and logistics.


Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.




HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.