California. New York. Massachusetts. One by one, states are turning up the heat on cybersecurity regulations—and if you're not preparing your clients for what’s coming, you're not just behind. You're exposed.
Last week I blogged about upcoming California rules requiring annual cybersecurity assessments, but New York and Massachusetts have also passed new regulations.
New York, the newly amended 23 NYCRR Part 500 now mandates that “Class A” companies (those making $20M+ from NY operations and either 2,000+ employees or $1B in global revenue) must undergo an independent cybersecurity audit annually. Not an internal review. Not a checkbox. An independent, provable, auditor-verified assessment.
In Massachusetts, the 201 CMR 17.00 regulations take a different route: they require anyone who handles Massachusetts resident data—even if the company isn’t located there—to maintain a Written Information Security Program (WISP). While it doesn’t say “hire a third-party auditor,” it does require regular testing of safeguards, an annual WISP review, and documented employee training. Want to defend yourself in court or to your insurer? That “regular testing” better be more than a self-graded quiz.
Here’s what this means for you:
- If you’re not offering recurring third-party cybersecurity assessments to clients in NY or MA, someone else will.
- If you can’t prove you recommended an audit—or worse, your client never did one—you’ll be the one holding the liability bag when the lawsuits start.
- This is no longer optional. It's the start of a nationwide domino effect, and MSPs who lead with compliance will win. The rest? They’ll be buried in litigation.
Start offering independent third-party cybersecurity assessments now—or risk getting replaced by someone who does. Better yet, bundle it into your Cyber Liability Guard service and become the compliance partner clients can’t afford to drop.
