Skip to content ↓ | Skip to navigation ↓

New York governor Andrew Cuomo recently decided to require 31 of the state’s largest insurers to provide evidence of their policies and procedures for preventing cyber attacks.

In a move designed to force companies to bolster their information security programs, the governor stated that he is “on the lookout for the next big threat”.

The governor is clearly taking a stab at state level security regulation, something that has been going on in other states for several years.

While this seems like a reasonable move, it just makes things worse for big companies. Corporations already have to wade through a disjointed mess of regulations and laws that affect information security.

In addition to federal level programs like Sarbanes Oxley, Gramm-Leach-Bliley Act and HIPAA; several states including California and Massachusetts already have laws on the books regarding protection of data and breach notification requirements.

It’s true that some companies need the legislative equivalent of a ‘sharp stick in the eye’ to establish or improve their risk management programs.

But many other companies are already spending far too many resources just determining which security and compliance programs are required in order to do business in a given industry or state.

Given Governor Cuomo’s autonomy and authority, he currently has far more ability to force the hands of insurers than the federal government, which has failed again and again to produce any meaningful cyber legislation.

CISPA, like it or hate it, represents yet another failure of the US Congress to make any substantive progress on national level.  While lawmakers argue, the Washington Post reports that some of the most confidential US weapon’s designs have been exfiltrated under cyber security breaches.

How many companies need to be breached and how many lives of ordinary Americans need to be affected before our Congress will get their act together to produce something meaningful to bolster cybersecurity requirements?

In the meantime, we should expect more states to come up with their own ideas on how to protect their citizens and their businesses.


Image courtesy of ShutterStock