Breaking down New York’s new cyber regulations

Here’s how to get compliant sooner, rather than later.

New York’s new cyber regulations
Credit: Thinkstock
New regs

In late September, the New York Department of Financial Services (NY DFS) and Gov. Andrew Cuomo announced a series of new rules strengthening cybersecurity requirements for financial firms in the state of New York. Financial firms are treasure troves of private client data and one of the most sought after targets for attackers. In the face of these new regulations, banks, hedge funds, insurers, and financial institutions must ensure client information, PII, investment strategy and all non-public information is safe and protected.

Ajay Arora, CEO and co-founder of data security startup Vera, shares insight on navigating the newest set of cybersecurity regulations to help firms adopt a security strategy that scales in the face of future cybersecurity requirements.

New York’s new cyber regulations
Credit: Thinkstock
Why is this happening? The “data everywhere” problem

A big driving force for the NY DFS is how oftenclient information is shared “everywhere,” and how little control financial firms have over their data once it’s shared with third-party vendors, according to a survey of close to 200 banking institutions and insurers. These tighter regulations are meant to put cybersecurity at the forefront of every financial institutions agenda.

New York’s new cyber regulations
Credit: Thinkstock
What’s new? A clear focus on protecting data directly

Although the NY DFS cyber regulations buildon the earlier work by the SEC and the NAIC, there are four new data-centric requirements for financial firms. These are the requirements to (1) encrypt all “nonpublic information held or transmitted” in the firm, (2) restrict access privileges, (3) implement an audit trail, and (4) provide for the retention and “timely destruction” of non-public information.

New York’s new cyber regulations
Credit: Thinkstock
Let’s cut to the chase. Simple encryption isn’t enough

The data-centric nature of these requirements presents a bit of a curveball to security and risk teams. To comply, firms will need to implement protections beyond simple encryption at rest and in transit.

Encryption at rest and in transit only protects data while it’s exchanged between two trusted parties. Unfortunately, simple encryption cannot scale to meet the enhanced NY DFS requirements because it does not limit access rights, provide the audit trail needed and has the option of remotely disposing of records and other information.

New York’s new cyber regulations
Credit: Thinkstock
Protect data directly with dynamic controls

What's needed is a way to dynamically and in real-time take control of the data by being able to change specific policies attached to the data. Being able to control who has access to information, what they can do with it, and how longthey have access for, gives firms the added security that is needed to meet these new regulation standards.

New York’s new cyber regulations
Credit: Thinkstock
Define access controls at the data-level

In a complex technology ecosystem, it’s nolonger feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information.

Ultimately, encryption, access controls, and data-in-use protections must persist with your information, independent of the type of data protected, where it’s stored, or how it’s shared.

New York’s new cyber regulations
Credit: Thinkstock
Choose solutions that automate audit trail requirements

In the past, the requirement for an audit trailon data access was seen as an add-on or an after-thought. The NY DFS requirements call for improved visibility into data use, and a way to track and log assess privileges and reconstruct transactions.

By implementing security solutions that automatically log all authorized and unauthorized access attempts to your data, anywhere it goes, you not only improve your visibility, but your ability to identify dangerous behavior in advance. You can proactively stop data loss before it happens and prevent employees from walking away with confidential information.

New York’s new cyber regulations
Credit: Pexel
Prioritize solutions that balance simplicity with security

Too often, security teams layer on additionaltechnology to respond to regulations and ignore the importance of seamless, simple tools that power collaboration and business process. This often creates a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. Any scalable, viable data security approach must balance and provide both strong security and usability to best serve the business users it is designed to protect.

New York’s new cyber regulations
Credit: Thinkstock
Provide for the retention and ‘timely destruction” of your data, instantly

Not just for data that’s located internally,but anywhere that data travels. This is critical for financial institutions that work with hundreds of third-party vendors. How many times have we heard of someone sending the wrong file to the wrong person? Or the M&A deal with company financials shared, downloaded and kept once the deal ends?  Ultimately, giving owners of the data the ability to call back that data or kill access is paramount.

10 bigger
Credit: Pexel
These regulations are bigger than New York and touch every industry

Even if your firm isn’t directly subject to these new regulations, it’ssafe to assume that New York’s cyber regulations will be rapidly adopted by similar regulatory bodies domestically and around the world.

These regulations signal one thing: protecting the perimeter, and your information systems alone, won’t cut it to meet these mandates. Firms will need to deploy a data-centric strategy with dynamic forms of data protection that extend beyond their current systems.

The good news: these proposed regulations will not only reduce the risk of external attacks for your firm, they’ll also dramatically reduce the risk of data breaches from insider threats, negligence, and the unintentional misuse of data.