Cybersecurity Requirements from the New York State Department Of Financial Services 23 NYCRR 500

What Do I need to know?

Highlights

• Derived from NIST standards
• Sweeping proposal will hold banks, insurers and other financial services firms strictly accountable for shielding both in-transit and at-rest data
• The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest
• Effects Wall Street and about 1,900 companies with $2.9 Trillion (USD) in assets
• Regulates who is responsible for breach, must have awareness and action plan; pushes it up to the board
• Companies need to define criteria, have an incident response policy and update vendor management with minimum standards to do business with the financial institutions

Data encryption

• A Kingston and IronKey Encrypted USB drive is one of the solutions to standardize on for data encryption compliance
• The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest. (Section 500.15 Encryption of Nonpublic Information.)
  • Section 500.15 Encryption of Nonpublic Information.
    • (a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
• Requires organizations who process or hold personally identifiable information to implement adequate security to protect personal data loss.
• Organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. (Section 500.11 Third Party Service Provider Security Policy.)
  • Organizations with large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.
    • Section 500.11 Third Party Service Provider Security Policy.
      • (2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

How does this affect my business?

• Business within the banking, insurance and other financial services industry within New York City or if you provide a service or on contract as a vendor to these industry firms, you will need to follow and be subject to these rules as well.
• You will also need to be compliant to the regulation and rules in having the right systems in place for security and data storage encryption of information.
• Requires organizations who process or hold personally identifiable information to implement adequate security measures to protect personal data loss.

What should my business do to be compliant?

• Map internal and external products / devices that store data
Log and require company equipment used to be covered under your data security policy and ensure data encryption is utilized. Items such as, but not limited to: servers, hard drives, SSDs, USB Flash drives, computers and mobile devices.
• Inventory Analysis
  Evaluate the amount of personal data in totality.
• Purge
  Eliminate archives of unnecessary personal identifiable information (PII).
• Controllers of Information
  Review privacy risk and impact assessments.
• Contracts
  Future-proof your business by enacting policies now that become mandatory after the effective start date of February 2018
• Data Breaches
  Regulation requires notice within 72 hours.

Solution - Implement appropriate safeguards, technical standards and policies, such as, data encryption of personal data / personal identifiable information (PII) to mitigate risk of non-compliance. Learn more

Breach Notification

Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.