Trial Today Get in touch
Tuesday March 6th 2018 | 09:32

Get ready for the next NYDFS Cybersecurity Regulation deadline

Data breaches keep happening and cyberattacks keep getting more sophisticated, so it’s no surprise that industries are taking cybersecurity more seriously. In 2017, the New York Department for Financial Services implemented Cybersecurity Regulation (23 NYCRR 500), setting out cybersecurity requirements for the nearly 10,000 state-chartered banks, mortgage providers and insurance companies under their influence. When the combined assets of these institutions exceed $6 trillion, the importance of effective data security is clear.


It’s all about managing risk

23 NYCRR 500 obliges organizations to carry out a risk assessment and use it to build a bespoke cybersecurity risk profile. Instead of one set of rules fits all, it’s about what’s best for each organization.

23 NYCRR 500 took effect in March 2017 but there are milestones before full implementation. The next deadline is the end of the eighteen-month transitional period on September 3rd, 2018.

Let’s look at what you need to have in place by then.


How to hit the next compliance deadline

500.06 – Implement full audit trail technology

You need a way to ‘reconstruct material financial transactions,’ as well as implement ‘audit trails designed to detect and respond to Cybersecurity Events.’ A full audit trail of user interactions with information systems requires monitoring all user access events, email communications, file shares, data searches within mail stores, and human error incidents like misaddressed emails.

500.08 – Ensure security of software applications

You should make sure the software you’re using is fit for purpose, security-wise. This means checking that data security solutions you’re deploying to manage risk are developed using best-practice secure development techniques and hold industry certifications like Common Criteria.

500.13 - Limitations on data retention

To securely dispose of non-public information, you need tools to find that data across archives, networks and email, so powerful indexing, classifying and searching capabilities are vital. This must include being able to search across encrypted content. Also, effective email retention that includes encrypted content helps administrators search and permanently delete all information relating to specific people. Finding information as it sits within attachments is also critical, as is tracking this unstructured data even after it’s been edited or renamed.

500.14(a) – Implement controls to monitor user activity and detect unauthorized access

To monitor user activity, you need auditing for all actions, including file opens, edits and classification changes for all data across a network, including email attachments. Some user actions, like downgrading a file classification or removing email security, pose a risk to sensitive information and it’s critical these actions are logged. Also think about email encryption systems that provide auditing functionality to monitor recipient actions and that also provide real-time access revocation.

500.15 - Encrypt sensitive data and nonpublic information

When sensitive data is shared via email or using file sharing websites, the right security needs to be in place. Message-level encryption that interacts with classification levels can automatically apply the right level of protection and reduce human error, as well as malicious release. Secure online collaboration technology can also provide locked-down areas for document editing, contract annotation and real-time teamworking.

Hopefully your risk assessment also recognized the insider threat: tools that stop people making mistakes can make the difference. After all, an encrypted email sent to the wrong person accidentally still risks a breach.

Six months to go

To hit the next 23 NYCRR 500 milestone, it’s clear that a data-driven, holistic approach towards reducing human error and auditing all unstructured data and communications activity is the right step. The work starts now to protect business critical data and maintain citizen trust.


More from our bloggers

Previous Article
Switch Secure Workspace has a new look
Top Story
CCPA and email security: Three things you need to know
Next Article
What we talk about when we talk about data
footer_cesg_2018_258x100 footer_skyhigh_89x100 NATO Common Criteria footer_bsi_iso_178x100