DFS Cybersecurity Regulation Compliance

Unbound significantly reduces the cost and complexity of complying with the New York State Department of Financial Services (DFS) Cybersecurity requirements.

( let’s talk )

The Challenges of DFS Compliance in a Perimeter-Free World

Financial institutions report that the most challenging regulations to meet are those that call for enhanced encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”) in their multi-site, hybrid cloud environments.

Among the many challenges:

Data in the Cloud – Housing data and applications in the cloud forces organizations to share control of encryption keys with the CSP

High-Trust Multi-Factor Authentication – User-owned devices (BYOD) are inherently insecure, so strong authentication usually requires cumbersome dedicated hardware tokens

Unbound helps organizations meet the following NYS DFS Cybersecurity Regulations

Requirements Addressed: Section 500.15 (a)


Data in TransitUnbound Key Control (UKC) protects encryption keys of data at rest and data in motion. UKC also keeps track of crypto inventory (keys, partitions, usage, etc.) and performs key management actions like generation, import, distribution, refresh and revocation. UKC can be used to protect the keys for symmetric (e.g. IPsec with AES/3DES) and asymmetric (e.g. SSH/TLS protocols) encryption algorithms.

Data at Rest – Unbound supports both Database Encryption and Application-Level Encryption modules.

  • The Unbound Key Control (UKC) Database Encryption Module is a software-only product that keeps the database encryption keys secured at all times by ensuring encryption keys are never in the clear. It includes all key management capabilities required throughout the key lifecycle, and includes a KMIP server that allows it to integrate with any existing key manager. TDE Integration is available for Microsoft SQL Server, Oracle and IBM DB2 on all platforms and CSPs. UKC also transparently integrates with MSSQL Always Encrypted, allowing you to securely protect and manage master keys to the entire database or just certain columns.
  • The Unbound Key Control (UKC) Application-Level Encryption module is a fully-integrated module supports all standard crypto APIs (e.g.  PKCS#11, Java JCE, Microsoft KSP). This simple, yet secure solution provides developers with an intuitive, easy-to-use crypto-agile API that is installed on the application server, and can be seamlessly integrated with your applications.

Requirements Addressed: Section 500.11 (2)

Unbound Key Control (UKC) lets organizations keep full control of their cryptographic keys in the public cloud. This solution, known as Control Your Own Key (CYOK), allows financial institutions utilizing SaaS and IaaS services to keep full control of their cryptographic keys, while maintaining full functionality of their applications and services in the cloud.

Requirements Addressed: Section 500.13

Unbound helps organizations satisfy the 23 NYCRR 500.13 requirement by allowing organizations to revoking/delete the encryption key that was used to encrypt nonpublic information, making the information unreadable. The revocation is fully audited and controlled by the enterprise, even on cloud-hosted workloads.

Requirements addressed: Section 500.12 (a), (b)


Role-Based Access Control (RBAC)Unbound Key Control (UKC) enables organizations to control access to data decryption keys on a “need to know” basis

Customizable, Granular Admin and Access ManagementUnbound Key Control (UKC) gives organizations the flexibility to set highly granular authorization and access management rules. For example, UKC’s Quorum (M-of-N) control policy allows orgs to define a minimum number of admins (M) out of a total number of admins (N) who must work together to perform high-security operations.

Digital CertificatesUnbound Key Control (UKC) enables organizations to go beyond password-grade security for authentication users and systems with additional cryptographic technologies, such as digital certificates.

Secure Authentication on BYOD – Unbound Crypto-of-Things (CoT) secures the private key or the OTP seed of device-centric biometric and FIDO-based authentication on insecure user-owned devices. A simple and easy-to-use SDK seamlessly integrates with any desktop or mobile application, including FIDO-based solutions, ensuring that device authentication keys are secured by protection that is built right into the application.

See it in Action

Learn how Unbound can help you achieve compliance with New York State Department of Financial Services (DFS) Cybersecurity requirements

  ( Request a Demo )

An NY-DFS Compliance Solution Made for Today’s Perimeter-Free World

Unbound is the world’s first automated, streamlined and software-defined encryption, key management and authentication platform built to address the challenges of meeting NY-DFS requirements in today’s hybrid cloud, perimeter-less world.

Unbound provides platform-agnostic software-only solutions that can be implemented on all public/private cloud and on-premises workloads, giving financial organizations secure, cost-effective and efficient means to comply with several aspects of NY-DFS, including those related to encryption, key management, authentication, access control, auditing and monitoring.

Transparent DB Encryption

Seamless integration with all popular DBs – protect keys at the DB or column level with a quick configuration update


Allows full control of encryption keys in the cloud (CYOK)

Encrypt Data-in-Use

Supports tokenization and other operations on encrypted data using format, type and order-preserving encryption

Secure Authentication on BYOD

Tamper-proof and clone-resistant identity binding to any BYOD – immune to malware

Access Control

Enables granular admin authorization, including M-of-N

Related Articles


Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.

( Download )


Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.

( Watch )


Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.

( Download )


Learn more about how two major banks are using Unbound to reinvent data reinvent data protection in the Digital Banking age.

( Watch )