Do the Two Key Modifications to HITRUST CSF v9.1 Affect Your Business?
Does it seem like HITRUST® continually releases new versions that are chocked full of new elements and updates? As you well know—even if it does put a few crimps in your IT team’s schedule when it comes to implementing those updates—the information security professionals involved with HITRUST do it all for the benefit of all compliance-based and risk-based organizations, as well as their clients and any invested third-parties.
Standards, rules, regulations and laws are constantly changing to reflect the increasing trend toward the digitalization and globalization of records, so it is good to have a trusted body looking out for businesses.
Unpacking the Two Key Modifications to HITRUST CSF® v9.1
Always diligently seeking ways to improve its framework for flexible and efficient regulatory compliance and risk management, HITRUST has developed a few key modifications with the February 2018 release of HITRUST CSF v9.1.
While HITRUST has made frequent updates over the years, many are often minor and subtle refinements to streamline current framework elements. This time, however, the modifications are fairly substantial and have some far-reaching implications for businesses working with clients here at home and all the way around the globe.
What Sparked the Need for HITRUST CSF v9.1?
There are two extremely important elements that propelled the HITRUST team to develop HITRUST CSF v9.1. This version incorporates the European Union (EU) General Data Protection Regulation (GDPR), which is set for enforcement on May 25, 2018, and the New York State Cybersecurity Requirements for Financial Services Companies (23NYCRR 500), which took effect on March 1, 2017.
Both the GDPR and 23NYCRR 500 which can be included as regulatory factors when scoping an assessment are key modifications to the HITRUST CSF, offering unique and crucial new ways to protect businesses and the data that they hold for customers, patients and third-parties.
Take a closer look at each new regulation to learn what it entails and how it may apply to your business.
The EU Connection: The GDPR
Many businesses around the world are still scrambling in order to make sure they are in compliance with the GDPR deadline on its official enforcement date of May 25, 2018. This regulation is massive in its scope since it affects any organization that does business with customers in any one of the 28 EU member countries.
More specifically, GDPR replaces the former EU Data Protection Directive 95/46/EC to more accurately reflect the current issues in data collection, storage and transmission. More importantly, GDPR is intended to “bring harmonization across the EU regarding data privacy,” per The GDPR Associates. With its extended territoriality, GDPR strives to bring harmonization across the world regarding data privacy.
The Regulation affects businesses all over the globe that provide goods and services; particularly financial services and any other firms that tend to hold and monitor large volumes of personal EU resident data.
A few of the most important requirements for GDPR include:
- The proper classification of personal data.
- The request for consent when collecting information.
- The appointment of a Data Protection Officer (DPO) to inform and advise an organization and its employees about their obligation to comply with GDPR and other data privacy laws.
- Providing each EU customer the right to their personal data at any time.
- The notification of privacy regulators, consumers and any other relevant parties of a data breach within 72 hours of discovery.
There is much more to GDPR that HITRUST CSF v9.1 covers to help make sure businesses are fully aware, prepared and compliant with this massive Regulation by the May 2018 deadline and beyond.
Additionally, the incorporation of GDPR is a major part of HITRUST’s initiative to find ways to protect consumer data globally, starting with the EU.
Who Must Comply with the GDPR?
Any business that provides goods or services to EU residents—even on the smallest level or frequency—must consider whether or not they must comply with the GDPR. If you hold data for EU citizens, you must comply with the Regulation to avoid any potential penalties.
What Are the Penalties for GDPR Non-Compliance?
The penalties for non-compliance with the GDPR are immense and potentially devastating for smaller businesses, featuring two levels of fines:
- Lower Level: Up to €10 million or 2% of the company’s worldwide annual revenue of the prior financial year, or whichever is higher.
- Upper Level: Up to €20 million or 4% of the company’s worldwide annual revenue of the prior financial year, or whichever is higher.
A New York State of Security with 23NYCRR 500
The 23NYCRR 500 was developed and designed in response to the steadily—and some years rapidly—increasing number of annual data breaches in the financial and healthcare industries over the past decade.
The state of New York went to work to develop a workable solution to protect New York businesses, customers, patients and business associates with a cybersecurity management program. This regulation applies to business owners operating within the state, as well as out-of-state business owners doing business with New York residents.
A few of the most important requirements under 23NYCRR 500 include:
- Section 500.02: Cybersecurity Program Establishment. Establish a cybersecurity program with a foundation resting on periodic risk assessments intended to identify and evaluate risks. This program is meant to protect information systems and private information. It is also meant to detect, respond to and recover from any cyber-event or data breach while adhering to all reporting responsibilities.
- Section 500.03: Cybersecurity Policy Creation and Maintenance. Create and maintain a collection of policies and procedures to protect the organization’s systems and any private information, based on the organization’s risk assessment.
- Section 500.04: Appointment of CISO. Each company must appoint a Chief Information Security Officer to help develop, oversee and implement the cybersecurity program and policies.
- Other important 23NYCRR 500 requirements include penetration testing and vulnerability management, audit trails, application security, risk assessments, multi-factor authentication, limitations on data retention, encryption of nonpublic information and an incident response plan that includes breach notification.
Who Must Comply with the 23NYCRR 500?
Any business owner that operates or works within New York State must comply to some degree.
There is a “Limited Exemption” rule, which eliminates certain requirements based on some key criteria:
- Fewer than 10 employees, which includes independent contractors
- Less than $10 million in year-end total assets
- Less than $5 million in gross revenue
Companies that most frequently must comply with the requirements of 23NYCRRR 500 include:
- State-chartered banks
- Private bankers
- Licensed lenders
- Service contract providers
- Mortgage companies
- Trust companies
- Foreign banks licensed to operate in New York
- nsurance companies doing business in New York
What Are the Deadlines for 23NYCRR 500 Compliance?
There is a series of dates for 23NYCRR 500 compliance—forward from March 1, 2018—that include:
- March 1, 2018. Deadline for the company’s second round of technical requirements, including a certification of compliance.
- September 3, 2018. Deadline for third round of technical requirements.
- March 1, 2019. Fulfillment of requirements for working with a third-party service provider to help with IT and security management. This requirement applies to both parties, per Section 500.11.
What Does HITRUST Hope to Achieve with the Incorporation of HITRUST v9.1?
With HITRUST’s continuing mission to cultivate a comprehensive information privacy and security framework of the most current regulations, requirements, laws and rules, it was only a matter of time before the body developed and released this timely and critical version.
The GDPR and 23NYCRR 500 both exhibit massive leaps forward in the efforts to help businesses protect customers’ personal data. By incorporating these large-scale regulations into the HITRUST CSF, it may just make it all a little easier for your organization to keep track and stay compliant.
Are You Ready for HITRUST CSF v9.1?
If you feel a little overwhelmed after looking through the various requirements, deadlines and penalties, you are far from alone. Many businesses are doing their best to just keep up with all the cybersecurity regulations that will inevitably keep coming up, thanks to our increasingly technology-based global business landscape. In reality, HITRUST CSF v9.1 can help you keep everything on track.
At I.S. Partners, LLC., we sympathize with your struggle to juggle your daily tasks with maintaining solid compliance with every regulation out there.
Call us today at 215-631-3452, send us a message, start a chat session or request a quote today so we can talk more about HITRUST CSF v9.1, the GDPR, 23NYCRR 500, or any other concerns or questions you might have.