The first computer virus appeared shortly after Apple introduced its first computer in the 1970s. In the early 1980s after the PC was introduced, viruses immediately followed. Some of the early malware did no real damage–they were created just to prove it could be done. Yet some did real damage, and the history of malware began.

If one just had a cursory acquaintance with the news over the last several months, it would be apparent that companies are being attacked by cyber criminals on a regular basis. The federal government has been attacked; hospitals have been attacked; a major energy pipeline has been attacked. Those are the ones that make the news. In reality, these statistics should give everyone pause:

• Every 40 seconds, a new cyberattack starts.
• Ransomware attacks are increasing at a rate of 400% per year.
• Over 25,000 different malicious applications are detected and blocked every day.
• Each day, hackers attack over 30,000 websites.
• Over 65% of organizations worldwide have had at least one cyberattack against them.
• Email is responsible for propagating 95% of all malware.
• 43% of all cyberattacks are made on small businesses.

Unlike the early days of personal computing where teenagers created malware just to prove they could do it, today malware is a huge industry with the goal of stealing data or ransoming data to make money. No company, matter how small, is immune from attack.

Over the past decade, most attacks had the goal of stealing personal data: names, usernames, passwords, credit card information, etc. All this stolen information eventually was posted for sale on the Dark Web–a segment of the internet replete with criminal activity. Individuals who access the Dark Web (anyone can do it–it just takes a TOR Browser and a VPN program, both free) can go to commerce sites where all this stolen data is for sale. Criminals purchase this information to hack into individuals’ bank accounts and credit cards to steal funds and to illegally purchase goods and services.

More recently, criminals have replaced stealing data with making data unavailable to a company. The virus, once loaded on the computer or network, will encrypt all data, and the company cannot access it unless it pays a ransom to the criminal to get the key to unlock the encryption. As we have seen in the past few months, the costs to recover from such an attack can run into the millions.

As a result, many governmental authorities have passed laws and regulations designed to compel businesses to protect the personal information of their clients and customers. Two states leading this effort have been California and New York, although many other states, many federal agencies, and many professional organizations have published similar policies and regulations.

For us here in New York, there are two sets of requirements of which all businesses should be aware, and with which must comply. One is the SHIELD Act, and the other is the New York State Department of Financial Services (NYDFS) Cyber Regulations (23 NYCRR 500).

Both laws have similar requirements. They compel the company to create and adopt a formal, written cybersecurity program. The program must be consistent with generally accepted cybersecurity Standards, as published by NIST, ISO, HIPPA, GDPR, and the AICPA SOC²  publications. They outline five general steps each company must follow in developing its cybersecurity program:

1. Identify the potential risks
2. Protect against the risks
3. Detect threats and attacks
4. Respond to the threats, attacks and breaches
5. Recover from the threats, attacks and breaches.

 These laws and regulations are less about technology, and more about planning, promulgation of written policies and procedures, and documentation that can be reviewed by governmental and independent auditors.

The New York SHIELD Act (Stop Hacks and Improve Electronic Data), which was signed into law in July 2019, went into effect on January 1, 2020. Every company—no matter how large or small, no matter what industry or service—must comply with the provisions in the law. In general, it expands the types of private information that companies must provide consumer notice in the event of a breach, and requiring that companies develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. More specifically, it requires every company to

• designate one or more employees to coordinate the security program;
• identify reasonably foreseeable internal and external risks;
• assess the sufficiency of safeguards in place to control the identified risks;
• train and manage employees in the security program practices and procedure;
• select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and
• adjust the security program in light of business changes or new circumstances.

Other provisions of the law fall from these provisions and require the company to develop and document reasonable physical and technical safeguards. Failing to comply with the law may result in fines up to $250,000!

The NYDFS regulations, which have been in effect since February 2017, impact any company who must be licensed by the department. On the corporate side, this includes banks, credit unions, large insurance companies, and large brokerages. But is also impacts the small businesses: financial advisers, insurance agents, public adjusters, or any individual or business that must hold a license from the department.

The 23 regulations are specific and detailed. For large companies, it can be very expensive to comply. Computers and networks must maintain audit logs of every transaction or interaction. The company must arrange for regular penetration testing (hiring an ethical hacker to try and steal information), and employ specific technologies such as multifactor authentication.

Fortunately, small businesses do get some relief. New York state defines a small business as one that:

• Has fewer than 10 employees (including 1099 contractors)
• Has annual gross revenues less than $5 million
• Has end-of-year total assets of less than $10 million.

To comply with the regulations, small businesses must have a detailed cybersecurity program that annually includes the following six steps:

1. Undertake and document a risk assessment. This includes not only the technological risks, but the physical risks as well. The result of this annual assessment should be a formal, written document that also outlines the steps the company should take to reduce the risks.
   
   
2. Develop a cybersecurity program, based on the risk assessment, which should include written policies and procedures that cover all areas of cyber and business security.
   
   
3. Have a detailed, written incident response plan. This documents all the steps the company would follow should there be an attack, breach or theft.
   
   
4. Vet all vendors to ascertain that they, too, are in compliance with cyber laws, regulations and standards.
   
   
5. Train all employees (and document the training) in cybersecurity hygiene.
   
   
6. Annually certify to the NYDFS (under penalty of perjury) that the company complies with all the regulations.

Andrew M. Garlick is CEO and Principal of The Garlick Group, a consultancy serving small and medium-sized businesses and non-profits, specializing in cybersecurity, cyber compliance, digital transformation, and business operations. He is also a partner in Cyber Compliant LLC. Andy has taught at classics at Wayne State University, accounting at the University of Michigan and management at Columbia University. He is currently an assistant professor at Felician University, Rutherford, N.J.