Think compliance is a formality? Think again. In states like New York and Massachusetts, failing to prove your cybersecurity program is airtight could cost you everything—your reputation, your clients, and your business.
Last week I blogged about upcoming California rules requiring annual cybersecurity assessments, but New York and Massachusetts have also passed new regulations.
In New York, new cybersecurity rules mean that if your business pulls in $20 million or more from NY operations and meets size thresholds, you're considered a “Class A” company. That comes with a big new responsibility: you must conduct an independent cybersecurity audit every single year. This isn’t optional. It’s now law under 23 NYCRR Part 500.
In Massachusetts, if you store or manage any personal data belonging to a Massachusetts resident, you’re required to maintain a Written Information Security Program (WISP). That WISP must be reviewed annually, employees must be trained, and safeguards must be tested regularly.
Here’s the kicker: The state doesn’t define “regular testing.” But do you want to be the test case that finds out what “regular” means in a courtroom?
What This Means for You:
- If your audit is internal or informal, regulators—and insurers—won’t take it seriously.
- If something goes wrong and you can’t prove you followed best practices, lawsuits are just the beginning.
- A third-party cybersecurity audit isn’t just a smart move. It’s your best legal defense.
Ask your MSP or IT provider if you’ve had a formal, third-party cybersecurity assessment in the last 12 months. If the answer is no, it’s time to fix that—before a regulator, insurer, or plaintiff attorney asks you the same question.
