A quick guide to Minnesota’s new cybersecurity funding and compliance requirements

By Jean McGann, CPA

Throughout Minnesota and beyond, cybersecurity continues to be a top concern for public agencies, especially with the rise of AI. In 2024, to bolster the state’s cyber defenses, the Minnesota Legislature passed a law requiring public agencies to report certain cybersecurity incidents. The State of Minnesota, Minnesota IT Services (MNIT), and the Bureau of Criminal Apprehension (BCA) are eagerly enforcing it.

The good news is, there is funding available to help public agencies comply with the state’s enhanced cybersecurity requirements. To help you better understand these cybersecurity requirements and available funding, here’s what you should know.

What is a cybersecurity incident?

Minnesota law defines a cybersecurity incident as “an action taken using an information system or network that results in an actual or potentially adverse effect on an information system, network, or the information it contains.”

What are Minnesota’s new cybersecurity compliance requirements?

Effective December 1, 2024, public agencies, including state agencies, local governments, public education entities, and government contractors, must report certain cybersecurity incidents to MNIT and the BCA.

If the incident impacts criminal justice information and systems, the agency must submit the report within 24 hours.

For all other incidents, the agency must submit a report within 72 hours of discovering the incident or reasonably determining or believing an incident has occurred.

What types of cybersecurity incidents should you report?

Minnesota requires public agencies to report any cybersecurity incident that impacts its services, systems, or people. These could include:

• Compromised account/password
• Defacement
• Denial of service (DoS)
• Malware
• Network attack
• Operational Technology/Industrial Control System/Supervisory Control and Data Acquisition (OT/ICS/SCADA)
• Potential data exposure
• Ransomware
• Social engineering
• Unauthorized access
• Web application attack

What type of cybersecurity funding is available?

There are grants available through the Whole-of-State Cybersecurity Plan, a partnership between MNIT and the Minnesota Cybersecurity Task Force, to provide funding for public agencies that wish to bolster their cybersecurity measures. These activities could include anything from upgrading security infrastructure and tools to adding features to existing IT security components. To learn more about the plan and how to participate, head to the Whole-of-State Participant Information page on MNIT’s website.

What else should you do?

Preventing a cybersecurity incident requires more than robust IT security components; you need solid internal controls.

Internal controls are the processes an organization follows to protect its assets, financial data, and maintain compliance with laws and regulations. Regularly reviewing your agency’s internal controls can help to ensure their effectiveness.

Here are some key internal controls to focus on when performing your review:

• Access Controls
  • Implement strong authentication mechanisms, such as multi-factor authentication and regularly review and update user access rights and roles.
• Incident Response:
  • Develop and maintain an incident response plan.
  • Conduct regular drills and training to ensure staff are prepared to respond to incidents.
  • Establish procedures for reporting and managing security incidents.
• Security Awareness and Training:
  • Conduct regular training sessions for employees on cybersecurity best practices and social engineering threats.
  • Test employees’ awareness through simulated phishing attacks and other exercises.
• Audit and Monitoring:
  • Implement continuous monitoring tools to detect and respond to unusual activities.
  • Regularly review logs and conduct audits to identify potential security incidents.
  • Use automated tools to enhance log analysis and monitoring processes.
• Vendor Management:
  • Assess the cybersecurity posture of third-party vendors and ensure they adhere to your security policies.
  • Include cybersecurity requirements and responsibilities in contracts with vendors.
• Backup and Recovery:
  • Ensure regular backups of critical data and systems.
  • Test the backup and recovery process periodically to ensure data can be restored in the event of an incident.

When it comes to improving your agency’s cybersecurity, this is a great place to start.

Shine a light on your agency’s cybersecurity

With MNIT and the BCA ramping up their enforcement efforts, now is a great time to focus on your agency’s cybersecurity measures. To help you meet these new requirements, our team can assist with applying for grant funding and evaluate your agency’s internal controls.

For more information and to access Minnesota’s Cybersecurity Incident Reporting Online Form, head to MNIT’s webpage.

To learn more about how we provide financial and operational guidance for public agencies, contact us today.