The new NYC500 Cybersecurity regulations require that Covered Entities designate a Chief Information Security Officer or CISO. These regulations go into effect March 1st, 2017.
What’s a CISO?
A Chief Information Security Officer is a designated qualified individual responsible for oversight, and implementation of the Cybersecurity Program and enforcement of the Cybersecurity Program. The CISO may be employed by the Covered Entity, an Affiliate or Third Party.
So I can use a Third Party CISO and be done?
If your organization chooses to utilize a Third Party CISO, your organization retains responsibility for compliance. Next, you must designate a senior personnel member responsible for the direction and oversight of the Third Party. Finally, Third Party CISOs are required to maintain a cybersecurity program that protects the Covered Entity.
Okay, now I have my CISO. What do they do?
The CISO must report, in writing, on the Covered Entity’s Cybersecurity Program and Cybersecurity Risks, to the board of directors or equivalent Senior Officers. This report must be done at least annually and must consider five key components:
- Confidentiality of Nonpublic Information and the security and integrity of Information Systems.
- Covered Entity’s Cybersecurity policies and procedures
- Material risks to the Covered Entity
- Overall effectiveness of Covered Entity’s Cybersecurity Program
- Material Cybersecurity Events involving Covered Entitis during the report’s time period
How do I make sure my CISO is qualified?
Just like anything else, finding the right person for the job can be time consuming, costly and difficult.
No matter how you decide to tackle the CISO requirement, your organization will have to dedicate time and resources to make sure this section of the NYC500 is carried out effectively.
Designating an existing employee as your CISO may limit the time and effort they can spend on their current responsibilities and this individual may lack the qualifications necessary for such a role.
Hiring an affiliate or Third Party Service Provider to act as a CISO will still require active engagement from senior leadership and triggers its own set of compliance guidelines.
While there is no denying the benefit of a CISO to oversee your organization’s Cybersecurity and policies and procedures the real question is: How will your organization determine the right person for the job and efficiently manage additional Cybersecurity expenses?