Starting today, certain financial services companies based in New York will have to comply with the state’s new cybersecurity requirements, known by the (very long) acronym 23 NYCRR 500. On the line for affected banks and insurers are both penalties for non-compliance and potential business loss if they continue to expose their businesses to cyber threats.
The regulations took effect March 1 but included a three-month grace period for companies to get organized before needing to meet the first wave of mandates. Companies will have ongoing deadlines over the next two years as further layers of compliance continue to take effect. Notably, affected financial services companies will need to have an encryption strategy in place by September 2018.
Why Financial Services Companies
Financial institutions occupy an outsize role in New York’s economy. They’re also a main target of cyber threats. Because of that, many financial institutions and consumers have seen significant financial losses at the hands of cybercriminals.
With 23 NYCRR 500, New York State’s Department of Financial Services is attempting to close this vulnerability. All financial firms headquartered or operating in New York need to either strengthen their current cyber security plan or create an entire program from the ground up.
If the outcome of this cybersecurity regulation is successful in New York, other states may release similar guidelines in the future.
23 NYCRR 500 and Encryption
The regulatory framework has multiple requirements, including the writing of a cyber security policy, the hiring of a CISO, and the running of vulnerability assessments. Critical to compliance is an encryption strategy, which companies must have in place by September 2018.
How should financial services companies approach an encryption strategy? The foundation begins with implementing protected security intelligence logs that identify irregular access patterns and breaches in progress.
Once that’s in place, companies need to protect their data both at rest and in motion. Encryption strips data of its meaning, therefore rendering it useless to cyber criminals.
But companies would do well to go beyond compliance to introduce other cyber security best practices across devices, processes, platforms and environments. These include:
- restricting access to controls to let only credentialed users retrieve data;
- centrally managing and securely storing encryption keys from across your organization; and
- using hardware security modules to provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more.
The key is for the state’s financial services companies to look at their solutions to 23 NYCRR 500 in a holistic way. They need to design a comprehensive cyber security program that addresses each of the regulation’s elements in a seamless fashion.
To read more about what Thales can offer for 23 NYCRR 500 compliance, click here.