Does Your Cybersecurity Comply With Regulations? How to Find Out
The biggest cybersecurity threats we now face are those that exploit human psychology rather than technical prowess. These include ransomware and social engineering attacks like phishing methods to gain personal information that can be used to take control of your systems.
These security breaches are almost always made possible by bad user behavior. When we say “bad user behavior”, we don’t necessarily mean malicious, but rather blindly clicking links or opening attachments in email–or falling behind on software patches leaving systems open to exploits. These are still the top ways for attackers to obtain illegal access to your network.
Urgent Need For Compliance to Cybersecurity Regulations
Since we cannot control the behavior of all users in our network, IT managers and cybersecurity professionals need to stay on top of endpoint security of all devices that access their company network. In fact, depending on the size of your company and how you receive payments, state and federal laws require your company to comply with cybersecurity regulations.
The challenge is that small-medium companies (with annual revenues of $20-50 million per year) often lack the staff, expertise, or resources to stay up to date on cybersecurity compliance within their infrastructure and network. If they don’t have their own in-house Security Operations Center (SOC), they may need a managed SOC-as-a-Service in order to comply—and stay in compliance with—local, state, and federal cybersecurity laws.
Cybersecurity Standards and How to Comply
Most companies in the New England region are subject to three cybersecurity standards and certification requirements:
- NYDFS Cybersecurity Regulation: 23 NYCRR Part 500
- Cybersecurity Maturity Model Certification (CMMC)
- Payment Card Industry Data Security Standard (PCI-DSS)
NYDFS Cybersecurity Regulation: 23 NYCRR Part 500
This regulation, based on the NIST Cybersecurity Framework (CSF), establishes cybersecurity requirements for covered entities related to financial services such as banks operating in New York state as long as they have at least 10 employees. The Department of Financial Services has a detailed FAQ on compliance requirements, including exemptions, for the 23 NYCRR Part 500.
RELEVANT: First Enforcement Action From NYDFS Against Insurance Company
In July 2020, the NYDFS brought an enforcement action against First American, an insurance company where hundreds of millions of private documents were indexed for search engines so they could be found on Google. After failing to remedy the exposure promptly when it was discovered in December 2018, civil penalties are now being assessed. It is worth noting that, in a similar case, the Equifax security breach resulted in $149 million in fines.
Cybersecurity Maturity Model Certification (CMMC)
Defense suppliers are subject to CMMC, a cybersecurity framework that combines controls and ideas from NIST, ISO, and AIA. It is a standardized and unified control set and methodology for DoD contractors. The Office of Secretary of Defense provides a FAQ about CMMC.
Since October 2020, all contractors and subcontractors will only be approved for defense contracts if they hold the correct level of CMMC certification, in which there are five levels of compliance. CMMC also requires a third-party auditor because the DoD does not allow self-certification for any level.
Payment Card Industry Data Security Standard (PCI-DSS)
If your company accepts credit cards for payment, your system needs to be in compliance with the PCI-DSS, a nationwide standard that secures online payments and builds trust with consumers. The PCI-DSS standard has 4 different tiers depending on how many transactions you process annually. In some cases, you may need on-site assessments, while in others you may be allowed to submit documentation.
For these cybersecurity regulations, you may need an on-site assessment where an auditor may need written proof of compliance. They will physically perform thorough on-site security audits and collect in-depth documentation to determine whether your company is in compliance.
Our SOC-as-a-Service Can Help With Your Compliance Needs
We offer a full turnkey SOC to get you in compliance with cybersecurity regulations and standards applicable to your business. We hunt for vulnerabilities using penetration testing, email scans, dark web scans, and produce full network security assessment reports with immediate risk scores as well as any necessary action items.
If you’re located in the Northeast including New York and Vermont, our team of security experts at C2 can also visit your premises and do a physical assessment to help prepare your documentation for your compliance auditors.
Are there hidden vulnerabilities in your system that need to be uncovered and addressed? Find out before the regulators do. Get started today and contact our cybersecurity team.