If you’re a financial institution that does business in New York State, then you most likely already know about New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), commonly referred to as the NY-DFS Cybersecurity Regulation. And if you don’t…then you definitely should since it took effect on March 1st, 2017 and the next big deadline is coming up very soon on September 3rd, 2018.
Dark Reading called the Cybersecurity Requirements for Financial Services Companies “one of the harshest cybersecurity regulations to hit companies in the US”. In short, covered entities “will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations.”
These new regulations acknowledge that the threat posed by bad actors and cybercriminals over the past decade has significantly increased, such that it is no longer enough to react to breaches or incidents of data loss after they occur, but it is necessary to implement appropriate security controls such that breaches are less likely to occur in the first place.
What’s Happening on September 3rd, 2018?
The 18 month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections:
- 500.06 – Strong audit – full visibility of shared sensitive data inside and outside the business at any time
- 500.13 – Data retention limitations – Control, destroy, archive and search on shared data to minimize the data footprint without blocking conflicting regulations like SEC 17A4 and FTC controls
- 500.14 – Training, monitoring and awareness – Tools that teach users best practice and avoid mistakes with the latest AI and machine learning built-in
- 500.15 – Data encryption for non-public data in transit and at rest – encryption for collaboration-heavy financial services without friction or complexity, with precise control and monitoring
Let’s Talk About Encryption
NY-DFS takes a very prescriptive approach to cybersecurity which includes a mandate to encrypt data both at rest and in transit. The requirement for greater use of encryption for data at rest and data in motion applies to data regardless of whether this data is in a public or private cloud, or on a device.
Section 500.15 Encryption of Nonpublic Information:
As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
According to a recent study by the Ponemon Institute and Thales eSecurity, enterprises are increasingly looking to encryption to protect sensitive data. Of the 5,252 professionals surveyed worldwide, 43% said that their organization has an encryption strategy applied consistently across their enterprise. However, while encryption numbers have increased, many organizations have yet to take a strategic approach to encryption—including some organizations that completely fail to encrypt sensitive information. In regards to NY-DFS requirements, except in situations where encryption is deemed “infeasible”—in which case compensating protection methods can be used—you can’t really get out of encrypting your sensitive data. Today, it’s hard to imagine an IT infrastructure supporting encryption. For most organizations, the question really at this point is two-fold: (1) how to encrypt data—which we will cover in next week’s blog post (2) how to protect encryption keys.
Keys, Keys, Keys
Beyond all the other encryption related activities in order to prepare for NY-DFS such as taking inventory of all your financial systems, documenting storage of all sensitive information including non-public information (NPI), and prioritizing encryption projects, i.e., discovery, and encrypting the data—the most important is establishing key management standards. Encryption key management is the foundation of security and privacy protection, and if keys are lost or corrupted, it can lead to loss of access to systems and data, as well as make a system completely useless. It turns out that many organizations fail to protect their encryption keys adequately due to a number of challenges including the use of incompatible tools, data stored in hundreds of places throughout the organization that is hard to manage, and exponential growth of keys that can’t all be kept track of. However, if these challenges aren’t met in terms of key management and protection, they can end up in the wrong hands.
Leading financial institutions have turned to Unbound to help them with their key management challenges in light of NY-DFS. Because these financial institutions already need to encrypt their data at rest and in transit to be compliant with Section 500.15 of 23 NYCRR 500, there comes the question of where to store their encryption keys.
When our customers considered their key management options, hardware-based solutions didn’t fit the bill. To directly quote our customer, “does it make sense to buy a box?” Hardware-dependent key management, although highly secure, involves complicated, cumbersome and manual processes, whether it’s the initial setup, maintenance or backup. These particular customers do not have the on-premises IT infrastructure, nor the personnel with the unique legacy knowledge to maintain Hardware Security Modules (HSMs). Furthermore, relying on physical hardware does not allow for automated or scalable key management across their entire infrastructure.
By implementing Unbound’s So while maintaining NY-DFS compliance was the precursor to establishing effective enterprise key management, in the end our customers not only gained a better security posture, but also can deliver apps and services to their customers that they wouldn’t have been able to do with hardware.
Just the Beginning
It’s important to keep in mind that New York state is not the only state adopting similar cybersecurity regulations. Colorado recently passed their own cybersecurity rules, with more states to With a complex web of regulations both intra-state, inter-state, and across international borders, all financial institutions will benefit to adopt cybersecurity rules and standards as best practices whether they are subject to them or not. And while we don’t need to convince you to comply with NY-DFS, or any other relevant cyber security regulation for that matter, we also urge you not to delay the inevitable…yes becoming compliant is a hassle, asking for extensions is like putting a band-aid on an open wound. It’s best just to get it done, and in the process of becoming compliant, financial institutions also have the opportunity to deploy technologies that make them more agile, more efficient and ready for the future.