After a series of rolling deadlines that began when New York State’s Cybersecurity Requirements for Financial Services Companies went into effect on March 1, 2017, the eighteen-month transitional period ended on September 3, 2018 and organizations must now comply with all sections of the law.1
Known as 23 NYCRR Part 500, the mandates cover individuals and non-government entities such as partnerships, corporations, and associations and include:
There are a number of new requirements with, perhaps, the most significant and far-reaching being:
Encrypting Sensitive Data. This requirement targets sensitive information particularly attractive to criminals such as account numbers, personal financial data, social security numbers, and security codes and passwords. Organizations are required to encrypt this nonpublic information whether it is: at rest in databases, applications, and storage or in transit as it moves across the network and between data centers. The organization’s Chief Information Security Officer is further required to review this activity annually.
Equally important is the secure management of the keys to the encrypted data. As data expands and moves from the data center to the cloud, organizations must use centralized key management and policy enforcement. This will go a long way in improving compliance, governance, visibility, and efficiency.
Additional important requirements include:
Establishing an Audit Trail. The organization should map out an audit trail of all financial transactions and retain that information for a minimum of five years.
Developing Application Security. Compose written procedures, guidelines, and standards for the secure development of applications. This encompasses applications developed in-house and must include procedures for evaluating, assessing, and testing third party applications.
Drawing Data Retention Limitations. Set up policies and procedures for periodically and securely disposing of any nonpublic information no longer necessary for business operations or for other legitimate business purposes. There are exceptions as in cases where the information may need to be retained by law or regulation, or where disposal is not feasible due to the manner in which the data is maintained.
Monitoring User Activities. Implement risk-based policies, procedures, and controls to monitor authorized user activity and detect unauthorized access, use, or tampering with the nonpublic information of authorized users. This part of the mandate can be fulfilled by adopting an Access Management strategy that also addresses the broader multi-factor authentication and user access controls required by the new law.
Another Deadline is also Approaching
In addition, on March 1, 2019, financial services companies will be required to comply with the requirements of 23 NYCRR 500.11. This law covers third-party service provider security policies including access management, data encryption, risk assessments of third parties and other requirements.
Questions? If these requirements have raised questions or concerns relating to your particular business, contact Alexander Moshinsky at 212.331.7448 | email@example.com.
About Berdon Operational Advisory and Risk Management
1 The single exception is 23 NYCRR 500.11, Third Party Service Provider Security Policy with a March 1, 2019 deadline.