In September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of cybersecurity regulations for banks, insurers, and other financial institutions that will enhance data security and require a comprehensive cybersecurity program and policies to ensure compliance.
The proposed rule is the result of DFS’s focus on cybersecurity over the past several years, in which DFS held cybersecurity discussions with various financial institutions, and issued a letter to US regulators asking for feedback on potential cyber-specific requirements.
The regulation contains several requirements that will be new or more expansive than most organizations currently practice. For example, the proposal’s call for encryption of all nonpublic information will be challenging for many organizations. While most entities encrypt data in-transit, they only encrypt data at-rest in more selective circumstances.
The proposal will also require the chair of the board or a senior officer to submit an annual certification that the organization is complying with the regulations. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.
Fasoo can help financial institutions meet several of the requirements in the regulation.
Encryption of Nonpublic Information
Organizations will have to encrypt nonpublic information at-rest and in-transit. This includes confirming a third party service provider’s adherence to these enhanced data security requirements. Encryption requirements for data in-transit must be met by March 2018, while compliance for data at-rest must be met by January 2022. DFS expects that prior to these dates organizations secure nonpublic information using alternative compensating controls.
Fasoo can address these requirements by encrypting documents and controlling who can access them regardless of the user’s or file’s location. Below are three use cases in a financial institution where this can occur:
- A user creates or stores confidential files or derivatives in network repositories, on PCs or sends them (legitimately or by error) to third parties.
- User checks out a file containing confidential data from a document repository. Once checked out the company may not have adequate controls on who has the file or where it’s located.
- A employee creates reports with customer data downloaded from a database to an Excel spreadsheet and stores it on a PC.
Organizations will have to maintain audit trails of sensitive data, including logs of access to critical systems. Fasoo provides a complete audit trail of who accessed a document, when and from what location. An administrator can even receive alerts if there is activity detected which is above normal thresholds.
Access to systems containing nonpublic information need to be restricted to only those people with a business need for access. Fasoo assigns access control to all sensitive documents so that only those users with legitimate need at the time they open the document, can access the data inside. If a user moves departments and no longer needs access to specific files, their access is automatically removed.
Organizations will have to conduct annual cybersecurity risk assessments to determine their potential vulnerability and what existing controls are in place to mitigate any risk. Since all document access is logged using Fasoo, it is simple for an organization to prove that appropriate controls are in place to mitigate risk of exposing sensitive information.
It is clear that regulators across the financial services industry are focused on raising the bar for
cybersecurity programs. Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.
The time is now to address these enhanced data security requirements as the deadlines to meet the regulations are coming up fast.