How to Deal with Changing Financial Cybersecurity Regulations

The concept of business, technology, the Internet and the network. A young entrepreneur working on a virtual screen of the future and sees the inscription: Cyber insurance

Late last year the New York State of Financial Services (DFS) announced that New York would be proposing a “first in the nation” rule on cyber-security to go into effect on March 1, 2017 which would impact any bank, insurance company and anyone else covered by DFS. The rule requires any regulated company design a cybersecurity program that assesses its risks to ensure the safety and soundness of the cybersecurity protections in place with the goal of providing further protections of its customers.

In addition to laying out broader requirements around staffing, training, and audit, etc., this regulation sets minimum standards for the design of a sound cybersecurity program that addresses several dimensions of prevention, identification, remediation and validation across several technology areas.

With the growing value of financial records to hackers, this rule was meant to protect consumer data and financial systems from nation states, terrorist organizations and other criminal enterprises. In fact, just this past week the US handed out its first ever indictments to Russian spies for the breach of Yahoo. This is why fast-growing companies like GrubHub and Melaleuca are hiring cybersecurity experts to ensure their customer records remain safe and untouchable. These companies complete thousands of financial transactions on a daily basis, so cybersecurity is a must.

This month, 23 NYCRR 500 went into effect and, while we can’t yet say how organizations are reacting or if they are ready, we can help to prepare you for when this “first in the nation” rule becomes an “expected standard of the nation”.

In order to help you prepare for meeting 23 NYCRR 500 regulations, we’ve put together an eBook to break down what you need to do to be compliant with several of the cyber-security sections. I’ve listed a few of the sections below, but you can download the full eBook here.

Section 500.03 is broadly labeled “Cybersecurity Policy” and outlines several different solutions or processes that you should include in your security plan in order to be compliant including:

Data governance is all about understanding and managing your critical information, even information that resides in documents, files and folders (unstructured) rather than organized in databases or applications (structured). Your employees are continuously creating new documents, folders, files, etc. on your servers and you need a way to govern who has access to it. Managing this information manually is an option and is often how it is done, however, modern cybersecurity teams are instituting automated solutions which are more effective.

One option for automation is a Data Access Governance (DAG) solution. This is an auditing, compliance and governance framework for unstructured data and critical applications that provides comprehensive data collection, analysis, categorization and remediation workflows and reporting. These solutions are automated, scalable, and interoperable with your Identity and Access Management (IAM) and HR systems and secure your data by applying a consistent permissions model and enforcing least-privileged access control.