What Regulations Require the Designation of a Chief Information Security Officer (CISO)?

The Chief Information Security Officer (CISO) plays a critical role in a company’s ability to continuously operate.  Without an individual dedicated to the ongoing management of risk, companies tend to overspend and spend in areas where true risk may not lie.  CISOs are accountable for taking complex risk discussions and making them understandable for stakeholders including board members and all levels of leadership.  But when is a CISO or CISO-as-a-Service required vs. just a good idea?

New York

In New York State, insurance, banking, and financial services companies with over 10 employees, $5 million in gross annual revenue, and $10 million in year-end total assets must designate a qualified individual, whether employed by the company or outsourced, to be a CISO.  See regulation 23 NYCRR 500, section 500.04 for details.

Insurance Companies Nationally

At the end of 2017, the National Association of Insurance Commissioners (NAIC) took New York’s cybersecurity law mentioned above and used it as the basis for the Insurance Data Security Model Law (MDL-668).  NAIC then encouraged all other states to adopt a cybersecurity law similar to New York’s.

South Carolina

South Carolina was the first state to pick up the NAIC model law and apply it to companies insured in their state.  Their South Carolina Insurance Data Security Act became effective January 1st, 2019.  The need for a CISO is discussed in multiple sections of that law including § 38-99-20(C)(1), 38-99-20(E)(1), 38-99-30(A) – 38-99-30(B)(3), and 38-99-30(C).  According to § 38-99-20(C)(1), “the licensee shall designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee as responsible for the information security program”.  This is essentially the definition of a CISO, someone responsible for the overall information security of an organization.

Connecticut and New Hampshire

As of the writing of this article, both Connecticut and New Hampshire have bills introduced to their Senate following the NAIC model law applicable to companies licensed in those states to write insurance.  See Senate Bill 194-FN for a full text of the New Hampshire bill.

Massachusetts

Massachusetts has a state-level regulation, 201 CMR 17, that requires any company, regardless of domicile, who stores information of citizens of the Commonwealth, to maintain a set of minimum security requirements including designating an individual to “maintain the comprehensive security program” (aka, a CISO).  Massachusetts was ahead of the curve as 201 CMR 17 became effective nearly a decade ago.

Investment Companies and Advisors

The Securities and Exchange Commission (SEC) created a document entitled Cybersecurity Guidance that outlines their suggestions for investment companies and investment advisors.  In it, they implore these companies to “create a strategy that is designed to prevent, detect, and respond to cybersecurity threats”.  The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do.  So, a translation of the SEC’s guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy.  In fact, the SEC’s quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover.

Final Thoughts

As time goes on, more and more states and industries are seeing the need for dedicated individuals to “babysit risk” and ensure the ongoing strategy of companies’ information security.  The CISO role is becoming almost like water and electricity, where it’s just one of the many elemental things companies need to do to stay protected and in business.  Interested in outsourced CISO or CISO-as-a-Service? Contact us for a free consultation.

Related Post