The third in a series of NYDFS 23 NYCRR 500 roadshow events at PwC in New York, NY on May 18, 2017, was a great success as a room full of executives, legal, IT and security professionals discussed ways to help financial services organizations meet the new cybersecurity regulations that went into effect on March 1, 2017. Pathway to compliance with NYDFS Part 500 was part of a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging regulation.
The event started with Joe Nocera, PwC principal and Cybersecurity Financial Services Industry Leader, giving an overview of 23 N.Y.C.R.R. Part 500 and many of the implications this has for financial institutions doing business in New York. Joe talked about some anticipated challenges to meet encryption of nonpublic information, multi-factor authentication, incident reporting and annual certification. While technologies and processes to meet these requirements are not new, there are a lot of questions about how to do it. For example, is using end-point encryption good enough to protect data at rest and in transit? What happens when you email a file with nonpublic information from your PC to someone else? The file is no longer encrypted, so you are vulnerable.
Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”. Sponsored by Fasoo, this survey helped understand the current state of readiness to comply with the new regulations. One key finding from the survey is that while most organizations believe this regulation will be harder to implement than GLBA, HIPAA or SOX, 65 percent believe it will improve their cybersecurity posture.
Dr. Ponemon’s keynote was followed by a panel discussion on Pathway to DFS Compliance. Panel members included Dr. Ponemon, John Horn from Harter Secrest, and Ron Arden from Fasoo. Some of the items discussed by the panel included eliminating information you no longer need, automatically protecting information downloaded from databases and information repositories and the best way to ensure you have a legally defensible environment when the auditors come calling. Another major discussion point was around third party service provider security policies. NYDFS gives covered entities two years to comply, since they realize this will be a major challenge. If you need to meet these requirements, why wouldn’t you make your service providers meet the same requirements?
The panel was followed by three presentations from security vendors Fasoo, ForgeRock, and Securonix that highlighted technologies that can help financial companies become compliant with the new regulation. Fasoo focused on its 6 Steps to Compliance that features finding and protecting nonpublic information through encryption, audit trails, access control and secure disposal of information no longer needed by the business. ForgeRock focused on its identity and access management platform that helps meet the requirements for access control, auditing and multi-factor authentication. Securonix focused on its behavioral analytics platform that can help understand and mitigate the risk of cybersecurity events.
Lunch followed and allowed attendees to discuss their challenges with the speakers and panel members. The feedback was that a lot of great information was shared and helped give executives and practitioners good ammunition to move their cybersecurity programs forward.