The New York Department of Financial Services (DFS), alongside Governor Andrew Cuomo, announced last September, a series of new rules concerning cybersecurity requirements for financial firms that are regulated by the DFS in the state of New York. Given that financial firms, including banks, hedge funds, and insurers contain treasure troves of private client data, they are routinely targeted in cyber attacks. Therefore, the DFS wants to ensure that client information, PII, investment strategy and non-public information is safe and protected.
The 23 NYCRR 500 states that:
“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”
The Bottom Line
Financial firms will be required to:
- Cybersecurity program including network penetration testing, audit trails, and restricted access to information
- Cybersecurity policy
- Data encryption of “nonpublic information held or transmitted” in the firm
- Enhanced multi-factor authentication
- Annual certification
- Incident reporting
- Retention and/or timely destruction of nonpublic information
- Senior security officer
- Overall scrutiny of third-party vendors
Let’s Talk About Encryption
But it isn’t that simple, or more specifically encryption isn’t that simple if we want it to be an effective control in addressing the threat landscape. The DFS is worried about non-trusted parties gaining access to data, and requires more than simple encryption, along with limited access rights, audit trails, and remote wipe of said data in the appropriate situations. In the complex technology ecosystem, it’s no longer feasible to define access at the system, device or perimeter level, but rather at the data-level and that is why the DFS ultimately are insisting on encryption combined with access controls, audit trail and retention controls.
Encryption Means Encryption Keys
While on the topic of encryption, let’s also discuss encryption keys. Essentially where there is encryption, there is also an encryption key. And those encryption keys also need to be protected and managed. How does an organization go about doing that? They might use a physically secure key protection system such as a Hardware Security Module (HSM), Trusted Platform Module (TPM) chips, and hardware tokens. Up until now, hardware has been significantly more secure than software based solutions, yet not particularly flexible, agile or scalable. For all those financial institutions grappling with how to comply with New York’s Cyber Security Regulations, imagine implementing multiple HSMs: ordering the actual devices, waiting weeks for delivery, arranging specialized technicians to physically install the devices, allocating manpower hours to ensure everything is connected properly. Such an undertaking can be costly in both time and money for organizations who need to become compliant sooner rather than later.
Moving Into the Cloud
In addition, going the hardware route may not meet strategic organizational initiatives. With the trend towards multi-cloud infrastructure in order to build and transform web and mobile apps for retail and business banking, wallets and internal apps, security architecture must also go beyond existing perimeter-centric models. Seamless tools that promote collaboration and rapid development to power delivery of digital business applications require heterogeneous computing environments across the cloud and on-premises while maintaining data protection, access and control.
Here is where Unbound comes in.
Unbound provides a clever solution to the problem of key management in a hybrid IT, multi-cloud world. Specifically, an organization can move part of their data center into the cloud, and move their entire cryptographic infrastructure into Unbound Key Control (UKC). Unbound UKC handles the protection and management of cryptographic keys used for data encryption, PKI and so on. Based on the mathematical principles of Multiparty (MPC) Computation, UKC separates keys and stores them in different servers, either in the cloud or on-premises—key material never exists in one single location throughout the key lifecycle. Distributed between two servers and never unified, the key it cannot be compromised or cloned. Additionally, UKC provides a real-time tamper proof audit log that integrates with SIEM and log management systems. In addition, it allow including NSA Suite B and RSA, it is also future ready—including post quantum crypto and blockchain specific algorithms. It seamlessly integrates with all standard crypto APIs (e.g.PKCS#11, CNG, OpenSSL) as well as KMIP, and also includes a full REST API that is ideal for development of cloud native applications. The solution is in the process of receiving FIPS 140-2 certification. As such, UKC might be the answer to many financial institutions’ need to both comply with 23 NYCRR 500, enable digital innovation, and improve security posture in a hybrid IT, multi-cloud environment.
At the end of the day, these regulations are bigger than New York, and bigger than just banking and finance. It is safe to assume that these regulations will be adopted in the near future by similar regulatory bodies both domestically and internationally. Enterprise security is shifting away from protecting the perimeter paradigms to data-centric strategies. And while becoming compliant with New York’s Cyber Regulations might be a “pain” in terms of bureaucracy, resource allocation and funding, rest assured that they will reduce the risk of data breaches from both external and internal threats, negligence and general human error.