NYDFS Cybersecurity Regulation banner

NYDFS Cybersecurity Regulation

Thales can help your organization comply with New York State Cybersecurity Requirements for Financial Services Companies

New York State Cybersecurity Requirements for Financial Services Companies Compliance

compliance-map
Regulation | Active Now

The New York State Cybersecurity Requirements for Financial Services Companies, or 23 NYCRR Part 500, took effect March 1, 2017. These Requirements address a broad array of topics from policy and governance issues to security methods.

Thales provides many of the solutions you need to comply with these requirements.

  • Regulation
  • Compliance

Regulation Summary

New York State’s Department of Financial Services Cybersecurity Requirements for Financial Services Companies regulation:

Is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.1

We excerpt below specific Sections of 23 NYCRR Part 500 with which Thales can help your organization comply:

Section 500.06 Audit Trail

Each covered entity shall … include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

Section 500.07 Access Privileges

As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.

Section 500.08 Application Security

Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

Section 500.11 Third Party Service Provider Security Policy

Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.

Section 500.14 Training and Monitoring

As part of its cybersecurity program, each Covered Entity shall … implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users….

Section 500.15 Encryption of Nonpublic Information

As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

1 https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services
_23NYCRR500.pdf

Compliance Summary

Thales can help you meet the many of the requirements in 23 NYCRR Part 5001 through the following:

Section 500.06 Audit Trail

Thales’ CipherTrust Data Security Platform includes CipherTrust Security Intelligence logs that generate audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of harming any material part of the normal operations of the enterprise.

Section 500.07 Access Privileges

Thales’ Access Management and Authentication solutions and CipherTrust Manager protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Section 500.08 Application Security

With Thales’ CipherTrust Application Data Protection your organization can encrypt specific files or columns in databases, big data nodes, and platform-as-a-service (PaaS) environments. The application encryption solution features a set of documented, standards-based APIs that can be used to perform cryptographic and key management operations in your technology ecosystem.

Section 500.11 Third Party Service Provider Security Policy

Thales can work with you and your third-party service providers to ensure their security meets your own rigorous standards. In addition, Thales has specialized cybersecurity products and services for enterprises using the Cloud, SaaS, and other third-party services. These include multi-cloud encryption with centralized key and access control management as well as cloud key management and protection.

Section 500.14 Training and Monitoring

Thales’ CipherTrust Transparent Encryption delivers CipherTrust Security Intelligence Logs that let your organization identify unauthorized access attempts, as well as build baselines of authorized user access patterns. CipherTrust Security Intelligence completes the picture with pre-built integration to leading Security Information and Event Management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts and collects all the data needed to build behavioral patterns required for identification of suspicious use by authorized users.

Section 500.15 Encryption of Nonpublic Information

Thales’ CipherTrust Transparent Encryption protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable, and fast with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the CipherTrust Manager.

Thales also offers High Speed Encryptors (HSEs) that provide network independent data-in-motion encryption (Layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception—all at an affordable cost and without performance compromise.

1 https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf

Related Resources

Secure your digital assets, comply with regulatory and industry standards, and protect your organization’s reputation. Learn how Thales can help.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

SafeNet Authenticators - Brochure

SafeNet Authenticators - Brochure

Offering the broadest range of multi-factor authentication methods and form factors, Thales facilitates and empowers enterprise-wide security initiatives for maintaining and improving secure access to enterprise resources.

Thales CipherTrust Data Discovery and Classification - Product Brief

Thales CipherTrust Data Discovery and Classification - Product Brief

Review the capabilities of data discovery and classification of sensitive data, which is integrated with the CipherTrust Manager management console.

CipherTrust Transparent Encryption - White Paper

CipherTrust Transparent Encryption - White Paper

Enterprise digital transformation and increasingly sophisticated IT security threats have resulted in a progressively more dangerous environment for enterprises with sensitive data, even as compliance and regulatory requirements for sensitive data protection rise. With attacks...

CipherTrust Transparent Encryption - Product Brief

CipherTrust Transparent Encryption - Product Brief

CipherTrust Transparent Encryption delivers data-at-rest encryption with centralized key management, privileged user access control, and detailed data access audit logging that helps organizations meet compliance and best practice requirements for protecting data, wherever it...

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

The Enterprise Encryption Blueprint - White Paper

The Enterprise Encryption Blueprint - White Paper

You’ve been tasked with setting and implementing an enterprise wide encryption strategy, one that will be used to guide and align each Line of Business, Application Owner, Database Administrator and Developer toward achieving the goals and security requirements that you define...

Unshare and Secure Sensitive Data - Encrypt Everything - eBook

Unshare and Secure Sensitive Data - Encrypt Everything - eBook

Business critical data is flowing everywhere. The boundaries are long gone. As an enterprise-wide data security expert, you are being asked to protect your organization’s valuable assets by setting and implementing an enterprise-wide encryption strategy. IT security teams are...

SafeNet High Speed Encryption 솔루션 최상의 데이터 전송 보안을 제공합니다.

High Speed Encryption Solutions - Solution Brief

Networks are under constant attack and sensitive assets continue to be exposed. More than ever, leveraging encryption is a vital mandate for addressing threats to data as it crosses networks. Thales High Speed Encryption solutions provide customers with a single platform to ...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.