Financial Services companies operating in the State of New York have until September 3, 2018 to be in compliance with the new mandates of the New York State Cybersecurity Requirements for Financial Services Companies, known as 23 NYCRR Part 500. While there are several new requirements in this latest round of rolling compliance deadlines, the biggest and most important part of these relates the encryption of non-public information.
The law came into effect on March 1, 2017 but has rolling deadlines for when a “covered entity” must be in compliance with the requirements of the various sections under the law. A “covered entity” is defined as “any Person operating under or required to operate under a licenses, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance law or the Financial Services Law”. Persons can be individuals or non-governmental entities such as partnerships, corporations and associations. These include banks, check cashing companies, health insurers, life insurers, mortgage brokers, and property and casualty companies.
With this latest deadline in the New York State Cybersecurity Requirements for Financial Services Companies, financial services companies are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500. These requirements include:
- Audit Trail (Section 500.06): Organizations should have an audit trail of all financial transactions and retain that information for at least five years.
- Application Security (Section 500.08): Organizations must have written procedures, guidelines and standards for the secure development of applications developed in-house and procedures for evaluating, assessing and testing the security of third party applications.
- Data Retention Limitations (Section 500.13): Organizations are required to have policies and procedures for the secure disposal on a periodic basis of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
- Monitoring of User Activities (Section 500.14(a)): Organizations are required to implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users. This section can be achieved mostly by the adoption of an Access Management strategy that also addresses the broader multi-factor authentication and user access controls required by the law that came into effect on March 1, 2018.
- Encryption of Sensitive Data (Section 500.15): This is probably the biggest and most consequential requirement for financial services companies. Under the requirement organizations should employ data encryption nonpublic information both at rest and in transit. This must also be reviewed by the CISO on an annual basis. Nonpublic information means sensitive information such as personal financial data, social security numbers, account numbers, and security codes and passwords. This is the data that criminals want to steal and monetize.
With data as the new oil, it is important that organizations find the sensitive data that must be protected and apply encryption to all data at rest in databases, applications, and storage – from the data center and cloud to virtual machines. In addition to data at rest, organizations need to encrypt data in motion as it moves across the network and between data centers. Guarding against advanced threats — while maintaining compliance – is difficult in a dynamic environment where data moves across virtual, cloud and on-premise ecosystems. Organizations now need to look at using a data-centric approach to protecting sensitive information.
Just as important as encryption is the secure management of the keys to the encrypted data. As data expands in volume, type and location, and moves from the data center to the cloud, organizations must use centralized key management and policy enforcement, ultimately improving compliance, governance, visibility and efficiency. Without owning the keys, organizations do not really own their data.
In addition to placing security controls directly on the data itself with encryption, companies must also place security controls on the users accessing the data. This can be done with the right Access Management solution that combines single sign on, access policy enforcement and multi-factor authentication to continuously verify identities in order to ensure the right user has access to the right resource at the right level of trust.
The next major deadline for financial services companies under the New York State Cybersecurity Requirements for Financial Services Companies is March 1, 2019 when organizations are required to be in compliance with the requirements of 23 NYCRR 500.11 regarding third-party service provider security policies, which has a number of requirements that Access Management and Encryption solutions can solve.
Gemalto offers a broad range of data encryption, key management and access management solutions that can help financial services companies meet the compliance requirements of the New York State Cybersecurity Requirements for Financial Services Companies. You can learn more about how we can help by downloading our white paper.