Tag: encryption of nonpublic information

Panel at PwC discussing NYDFS 23 NYCRR 500 Cybersecurity RegulationThe third in a series of NYDFS 23 NYCRR 500 roadshow events at PwC in New York, NY on May 18, 2017, was a great success as a room full of executives, legal, IT and security professionals discussed ways to help financial services organizations meet the new cybersecurity regulations that went into effect on March 1, 2017.  Pathway to compliance with NYDFS Part 500 was part of a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging regulation.

The event started with Joe Nocera, PwC principal and Cybersecurity Financial Services Industry Leader, giving an overview of 23 N.Y.C.R.R. Part 500 and many of the implications this has for financial institutions doing business in New York.  Joe talked about some anticipated challenges to meet encryption of nonpublic information, multi-factor authentication, incident reporting and annual certification.  While technologies and processes to meet these requirements are not new, there are a lot of questions about how to do it.  For example, is using end-point encryption good enough to protect data at rest and in transit?  What happens when you email a file with nonpublic information from your PC to someone else?  The file is no longer encrypted, so you are vulnerable.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey helped understand the current state of readiness to comply with the new regulations.  One key finding from the survey is that while most organizations believe this regulation will be harder to implement than GLBA, HIPAA or SOX, 65 percent believe it will improve their cybersecurity posture.

Dr. Ponemon’s keynote was followed by a panel discussion on Pathway to DFS Compliance.  Panel members included Dr. Ponemon, John Horn from Harter Secrest, and Ron Arden from Fasoo.  Some of the items discussed by the panel included eliminating information you no longer need, automatically protecting information downloaded from databases and information repositories and the best way to ensure you have a legally defensible environment when the auditors come calling.  Another major discussion point was around third party service provider security policies.  NYDFS gives covered entities two years to comply, since they realize this will be a major challenge.  If you need to meet these requirements, why wouldn’t you make your service providers meet the same requirements?

The panel was followed by three presentations from security vendors Fasoo, ForgeRock, and Securonix that highlighted technologies that can help financial companies become compliant with the new regulation.  Fasoo focused on its 6 Steps to Compliance that features finding and protecting nonpublic information through encryption, audit trails, access control and secure disposal of information no longer needed by the business.  ForgeRock focused on its identity and access management platform that helps meet the requirements for access control, auditing and multi-factor authentication.  Securonix focused on its behavioral analytics platform that can help understand and mitigate the risk of cybersecurity events.

Lunch followed and allowed attendees to discuss their challenges with the speakers and panel members.  The feedback was that a lot of great information was shared and helped give executives and practitioners good ammunition to move their cybersecurity programs forward.

New York Issues Final Version of Cybersecurity RegulationsThe New York State Department of Financial Services (NYS DFS) just released the final version of its new cybersecurity regulations that affect organizations doing business under New York banking, insurance and financial services regulations.  The new regulation is designated 23 N.Y.C.R.R. Part 500, and goes into affect on March 1, 2017.

Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned that the main changes in the regulation from earlier drafts is the move to a more risk-adjusted approach to cybersecurity, rather than a purely prescriptive approach.  Rather than applying a one-size-fits-all approach, the NYS DFS is allowing Covered Entities to define the risk associated with their nonpublic information before deciding on the best way to protect it.  Questions remain, however, concerning the scope and reach of these regulations.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” New York Governor Andrew M. Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

While the regulation covers everything from protecting nonpublic information to reporting on cybersecurity events, the risk based approach to compliance will most likely affect encryption, access control, audit and reporting sections of the regulation.  While most organizations agree they need to improve their cybersecurity, many are not sure what information they need to protect and how to protect it.

Part of the challenge is understanding what you have and where it is.  While many financial organizations know what is in a database or other structured information system, there are documents containing nonpublic information everywhere.  As most organizations go about their daily business, employees and contractors create documents with sensitive information and share them through email, file sharing systems, instant messaging and many other methods.  These end up on mobile devices, laptops, servers, cloud repositories and external systems.  Finding them and determining their content is step one in understanding how to protect them.

Another area not completely defined, per Paul Greene, is how Covered Entities will report material Cybersecurity Events within the 72-hour window contained in the regulations.  DFS does not yet have a system to do this.  It might be a secure reporting portal or other online system, but as of today this is not in place.

The first deadline for compliance is 180 days from their effective date.  That is August 28, 2017.  At that time financial organizations are subject to certain parts of the regulation, with the more difficult areas allowing 12 and 18 months for compliance.  I assume by August the DFS will have a way to administer the regulations.

If you are regulated in New York state by this regulation, you need to begin the process of compliance to improve your cybersecurity posture.

New York Financial Services Cybersecurity RegulationsIn September 2016, the New York State Department of Financial Services (DFS) proposed a broad set of cybersecurity regulations for banks, insurers, and other financial institutions that will enhance data security and require a comprehensive cybersecurity program and policies to ensure compliance.

The proposed rule is the result of DFS’s focus on cybersecurity over the past several years, in which DFS held cybersecurity discussions with various financial institutions, and issued a letter to US regulators asking for feedback on potential cyber-specific requirements.

The regulation contains several requirements that will be new or more expansive than most organizations currently practice. For example, the proposal’s call for encryption of all nonpublic information will be challenging for many organizations. While most entities encrypt data in-transit, they only encrypt data at-rest in more selective circumstances.

The proposal will also require the chair of the board or a senior officer to submit an annual certification that the organization is complying with the regulations. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.

Fasoo can help financial institutions meet several of the requirements in the regulation.

Encryption of Nonpublic Information
Organizations will have to encrypt nonpublic information at-rest and in-transit.  This includes confirming a third party service provider’s adherence to these enhanced data security requirements.  Encryption requirements for data in-transit must be met by March 2018, while compliance for data at-rest must be met by January 2022.  DFS expects that prior to these dates organizations secure nonpublic information using alternative compensating controls.

Fasoo can address these requirements by encrypting documents and controlling who can access them regardless of the user’s or file’s location.  Below are three use cases in a financial institution where this can occur:

  • A user creates or stores confidential files or derivatives in network repositories, on PCs or sends them (legitimately or by error) to third parties.
  • User checks out a file containing confidential data from a document repository. Once checked out the company may not have adequate controls on who has the file or where it’s located.
  • A employee creates reports with customer data downloaded from a database to an Excel spreadsheet and stores it on a PC.

Audit trail
Organizations will have to maintain audit trails of sensitive data, including logs of access to critical systems.  Fasoo provides a complete audit trail of who accessed a document, when and from what location.  An administrator can even receive alerts if there is activity detected which is above normal thresholds.

Access privileges
Access to systems containing nonpublic information need to be restricted to only those people with a business need for access.  Fasoo assigns access control to all sensitive documents so that only those users with legitimate need at the time they open the document, can access the data inside.  If a user moves departments and no longer needs access to specific files, their access is automatically removed.

Risk assessment
Organizations will have to conduct annual cybersecurity risk assessments to determine their potential vulnerability and what existing controls are in place to mitigate any risk.  Since all document access is logged using Fasoo, it is simple for an organization to prove that appropriate controls are in place to mitigate risk of exposing sensitive information.

It is clear that regulators across the financial services industry are focused on raising the bar for
cybersecurity programs.  Organizations need to focus on developing a robust risk-based cybersecurity program rather than reactively responding to regulatory guidance.

The time is now to address these enhanced data security requirements as the deadlines to meet the regulations are coming up fast.

Book a meeting