Cybersecurity and The Regulations That Come with It

September 27, 2017 Collin Varner

In the information technology world, there are currently few buzzwords as popular as the term cybersecurity. As CIOs and VPs evaluate the status of their network environment, and decide who will oversee the related processes—including who has the unfortunate task of reporting to the Board

One overarching question remains a puzzle: with what regulations do we need to comply?

In 2017, the information security world saw multiple regulatory bodies and standards organizations—both in the government and the private sector—release their version of what the baseline for a cybersecurity program should be, including the following:

  • AICPA Cyber Security SOC
  • New York Department of Financial Services Cyber Security (regulation 23 NYCRR 500)
  • NIST Cyber Security Framework
  • NAIC Insurance Data Security Model Law

With so many different versions, how does an individual organization condense these guidelines into a specific and secure compliance plan?

To start, evaluate the common themes in cybersecurity and what is required to best secure your company’s sensitive data.  So, what is cybersecurity, exactly? Merriam-Webster dictionary defines it as “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” Measures are available to help protect your organization from such unauthorized access or attack—these fall into three, more specific, categories:

  1. People
  2. Process
  3. Technology


Security starts at the top, and every company needs knowledgeable leadership to influence the path of an organization’s IT department, and that includes leadership that can jumpstart forward thinking and adaptability regarding security trends. The IT department itself should consist of qualified personnel ready to detect and respond to cybersecurity events—all IT staff should be practiced in the process of restoring normal operations, as well as able to train other employees and third-party providers on how to identify and prevent malicious activity.


Trained staff only comes with established procedure, and to best ensure security activities are being performed and overseen in line with management’s intent, an organization needs to have defined, repeatable processes that are documented and communicated to employees (and third-party personnel) with access to sensitive data. Detailed risk assessments should be performed by personnel who possess competence and experience of the corporate environment. Penetration testing and vulnerability scans are other common tests performed by skilled professionals that can help identify and secure systems against potential threats. Further testing and education for security awareness should be conducted, at least annually, for the benefit of end-users and those responding to such incidents, who are arguably more important. Testing of protection against common threats should be conducted frequently, as to allow response to become second nature, while testing against less common, but more threatening, attacks should also be directed in order to educate and prepare the members involved of their roles in the process.


To maintain an effective team and support a chosen process, you must also possess the right tools. Standard technology for protection against cyber-attacks includes network firewalls, antivirus and other supporting utilities, such as an intrusion detection or prevention system--all with system security settings configured to the scale and complexity of your organization. In order to make sure, evaluate the results from a performed risk assessment and confirm the technology in place gives you the right data to identify and detect emerging threats. Furthermore, maintain and update these tools as your organization adapts to new security events and other impacts to the environment—as threats evolve and become more complex, so should the technology being used to fight them.

Cyber events will happen. The question is not a matter of whether an organization can prevent an attack 100% of the time, but rather when and how will an event be addressed when it DOES occur. One thing is 100% certain—an organization cannot be negligent in the handling of data. Ensure you have knowledgeable leadership in place, with staff and technological support that can perform and oversee their organization’s cybersecurity program and respond to any threats efficiently.

About the Author

Collin Varner

Collin Varner is a Senior Associate at Schellman & Company, LLC. Prior to joining Schellman, Collin was an Advisory Manager planning, organizing, and managing multiple facets of information technology security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting. Further, Collin also served as the lead in IT compliance for a small, private healthcare organization, in addition to several years experience as a consultant for reputable accounting firms. As a Senior Associate for Schellman, Collin is focused primarily on specializing in IT attestation, audit and compliance activities as they relate to numerous standards including Sarbanes-Oxley (SOX), Service Organization Control (SOC), HIPAA, and ISO 27001.

More Content by Collin Varner
Previous Article
The GDPR and Personal Data…HELP!
The GDPR and Personal Data…HELP!

With the General Data Protection Regulation (GDPR) becoming effective May 25, 2018, organization...

Next Article
Late out of the gate: Companies lagging on GDPR's controller accommodation requirement
Late out of the gate: Companies lagging on GDPR's controller accommodation requirement

In less than a year’s time, the General Data Protection Regulation will succeed the EU’s Data Pr...


First Name
Error - something went wrong!