The conversation around data protection is heating up as governments start to think more strategically and globally about information security and breaches. It’s increasingly clear that we need standardized cybersecurity regulations and more intense enforcement to track criminals across borders. In the wake of tough new regulatory frameworks adopted by the European Union and California, the U.S. Commerce Department is seeking comments on how to set nationwide data privacy rules.
Since 2013 data breaches have compromised more than 14 billion records containing personal information according to the Breach Level Index. As a result, data security has become a top priority for institutions and businesses, especially financial services companies that handle a lot of sensitive data. While much of the conversation has centered around GDPR and the California law, the New York state cybersecurity requirements for financial services companies, known as 23 NYCRR Part 500, will have a major impact on businesses and the future of security practices.
As a top global financial hub, New York is leading the way to fight the ever-increasing number of cyber-attacks. In today’s world of interconnected financial networks, it’s no longer a question of whether the breach is going to happen but when. The Department of Financial Service’s landmark regulation addresses this issue by requiring all financial institutions to have a strict and comprehensive cybersecurity policy in place, ensuring people can rely on these entities to protect and secure their sensitive data.
While 23 NYCRR Part 500 was passed in 2017, its implementation, similar to the European data privacy laws, includes multiple deadlines. The latest round came into effect this September and focuses on the encryption of non-public information – considered by many security experts as the biggest and most important part of the regulation. So, what does it mean for financial institutions and how can they prepare for it?
Let’s dive deeper into the definitions. The requirements cover individuals or non-governmental entities such as partnerships, corporations and associations, including banks, check cashing companies, health insurers, life insurers, mortgage brokers, and property and casualty companies. All of these organizations work with non-public information, defined as any sensitive information, including personal financial data, social security numbers, account numbers, and security codes and passwords. The encryption requirement of this law means that data should be encoded in a such way that only authorized parties can access it. Importantly, encryption itself does not prevent breaches but it renders the data unintelligible to anyone without the decoding key.
Financial services companies operate in a dynamic environment where data quickly expands in volume and constantly moves across virtual, cloud and on-premise ecosystems. This setting makes it particularly challenging for them to ensure compliance and encrypt sensitive information. That’s why organizations need to take a data-centric approach to secure confidentiality and integrity of data throughout its lifecycle and through the multiple layers of its traversal.
This is based on a comprehensive two-tier approach that revolves around the core encryption principles: encrypting and tokenizing the data and securely storing and managing the cryptographic keys in a centralized manner. Since encryption is only as strong as its key management counter-part, organizations must use centralized key management and policy enforcement to improve compliance, governance, visibility and efficiency. Without owning the keys, financial services companies won’t really own their data.
In order to safeguard sensitive information and guard it against advanced threats, companies must also place security controls on the users accessing this data. This means having mechanisms in place to continuously verify identities in order to ensure the right user has access to the right resource at the right level of trust through strong access management tools that combine single sign on, access policy enforcement and multi-factor authentication.
New York state regulations, that include policies around encryption, access controls and audit trails, set an important benchmark for all states to protect both institutions and consumers. While many of the current compliance regulations are outdated and don’t reflect the needs of the threat landscape, 23 NYCRR 500 actually address real issues the industry is struggling with. In order to respond effectively to ever-increasing cybersecurity risks of our globalized world and ensure cybersecurity policy meets the standards of the new requirements, financial institutions must review their encryption procedures, access privileges, and authentication approach.
The final round of compliance deadlines for 23 NYCRR 500 is March 1, 2019. By that date financial institutions will be required to implement third-party service provider security policies and ensure compliance with all parts of the regulation.