Get ready for the next NYDFS Cybersecurity Regulation deadline
Data breaches keep happening and cyberattacks keep getting more sophisticated, so it’s no surprise that industries are taking cybersecurity more seriously. In 2017, the New York Department for Financial Services implemented Cybersecurity Regulation (23 NYCRR 500), setting out cybersecurity requirements for the nearly 10,000 state-chartered banks, mortgage providers and insurance companies under their influence. When the combined assets of these institutions exceed $6 trillion, the importance of effective data security is clear.
It’s all about managing risk
23 NYCRR 500 obliges organizations to carry out a risk assessment and use it to build a bespoke cybersecurity risk profile. Instead of one set of rules fits all, it’s about what’s best for each organization.
23 NYCRR 500 took effect in March 2017 but there are milestones before full implementation. The next deadline is the end of the eighteen-month transitional period on September 3rd, 2018.
Let’s look at what you need to have in place by then.
How to hit the next compliance deadline
500.06 – Implement full audit trail technology
You need a way to ‘reconstruct material financial transactions,’ as well as implement ‘audit trails designed to detect and respond to Cybersecurity Events.’ A full audit trail of user interactions with information systems requires monitoring all user access events, email communications, file shares, data searches within mail stores, and human error incidents like misaddressed emails.
500.08 – Ensure security of software applications
You should make sure the software you’re using is fit for purpose, security-wise. This means checking that data security solutions you’re deploying to manage risk are developed using best-practice secure development techniques and hold industry certifications like Common Criteria.
500.13 - Limitations on data retention
To securely dispose of non-public information, you need tools to find that data across archives, networks and email, so powerful indexing, classifying and searching capabilities are vital. This must include being able to search across encrypted content. Also, effective email retention that includes encrypted content helps administrators search and permanently delete all information relating to specific people. Finding information as it sits within attachments is also critical, as is tracking this unstructured data even after it’s been edited or renamed.
500.14(a) – Implement controls to monitor user activity and detect unauthorized access
To monitor user activity, you need auditing for all actions, including file opens, edits and classification changes for all data across a network, including email attachments. Some user actions, like downgrading a file classification or removing email security, pose a risk to sensitive information and it’s critical these actions are logged. Also think about email encryption systems that provide auditing functionality to monitor recipient actions and that also provide real-time access revocation.
500.15 - Encrypt sensitive data and nonpublic information
When sensitive data is shared via email or using file sharing websites, the right security needs to be in place. Message-level encryption that interacts with classification levels can automatically apply the right level of protection and reduce human error, as well as malicious release. Secure online collaboration technology can also provide locked-down areas for document editing, contract annotation and real-time teamworking.
Hopefully your risk assessment also recognized the insider threat: tools that stop people making mistakes can make the difference. After all, an encrypted email sent to the wrong person accidentally still risks a breach.
Six months to go
To hit the next 23 NYCRR 500 milestone, it’s clear that a data-driven, holistic approach towards reducing human error and auditing all unstructured data and communications activity is the right step. The work starts now to protect business critical data and maintain citizen trust.