NYDFS Cybersecurity Regulations and Encryption – 7 Steps to Compliance
On March 1, 2017, the New York Department of Financial Services (NYDFS) made their cybersecurity regulations for the financial services industry effective and provided covered entities with 180 days to achieve compliance. The financial sector includes banks, insurance companies, consumer lenders and money transmitters. The law − formally known as 23 NYCRR 500 − takes a very prescriptive approach to cybersecurity which includes a mandate to encrypt data at rest.
There’s not much wiggle room in the requirement for encrypting sensitive data. You can use compensating controls if you can show that encryption is “infeasible.” However, that would be difficult to prove considering that all modern database systems used by financial applications support encryption.
Financial organizations operating in New York State have likely already taken measures to meet 23 NYCRR 500 compliance. Organizations outside the “Empire State” should also be taking steps to strengthen their security. The spread of stricter financial cybersecurity regulations following New York’s high standard is anticipated. So, no matter where your organization is located, you’ll want to be prepared.
7 steps to meeting NYDFS cybersecurity regulations
Here are the steps to take to make sure your organization is compliant:
1) Inventory all your financial systems
This may seem like a no-brainer, but you might be surprised to learn how many organizations do not have a formal inventory of their IT systems that includes financial data. This is a top-of-the list item on any cybersecurity list of recommendations, so it is worth creating or updating this list.
2) Document storage of all sensitive information
For each system in your inventory (see Step 1), document every database and storage mechanism that stores Non-Public Information (NPI). For database systems, identify all tables and columns that contain NPI. You will need this documentation to meet the NYDFS requirements. It is also a roadmap to meeting the encryption requirements.
3) Prioritize your encryption projects
Follow all modern cybersecurity recommendations by prioritizing the systems and applications to be addressed using a risk model. Here are a few factors that can help you prioritize:
- Sensitivity of data
- Amount of data at risk
- Exposure risk of the systems and data
- Compliance risk
- Operational impact of loss
It is fine to be practical about how you prioritize the systems, but you should avoid assigning a “high priority” label to a system because it is the easiest. It is best practice to tackle the biggest risks first.
4) Establish encryption standards
Be careful which encryption algorithms you use to protect sensitive data. In the event of a loss, you do not want to be using home-grown or non-standard encryption. Protect data at rest with NIST-compliant, 256-bit AES encryption. This will give you the most defensible encryption strategy and is readily available in all major operating systems such as Windows, Linux, and IBM enterprise systems.
5) Establish key management standards
Protecting encryption keys is the most important part of your encryption strategy. It’s also an area where many organizations fail. Encryption keys need to be stored away from the encrypted financial data in a security device that is specifically designed for this task. There are a number of commercial key management systems to choose from. Be sure your system is FIPS 140-2 compliant and implements the industry standard Key Management Interoperability Protocol (KMIP).
Hint: Don’t fall into the project-killing trap of trying to find a key management system that can meet every key management need you have in the organization. The industry just isn’t there yet. Pick a small number of key management vendors with best-of-breed solutions.
With well-defined encryption standards and an encryption key management strategy in hand, you are ready to get started with your encryption projects.
6) Analyze performance and operational impacts
Naturally, encryption will have some impact on performance and operations. Encryption is a CPU-intensive task, so you should plan to do performance analysis of your application in real-world scenarios. If you don’t have test environments that support this analysis, you’ll need to start building these. They will be invaluable as you move forward. Modern encryption is highly optimized, and you can implement encryption without degrading the user experience. Just be prepared to do this analysis before you go live.
There are also operational impacts when you start encrypting data. Your backups may take a bit more storage and take longer to execute. So be sure to analyze this as a part of your proof-of-concept. Encrypted data does not compress as well as unencrypted data and this is the main cause of operational slow-downs. For most organizations this will not have a major impact, but be sure to test this before you deploy encryption.
7) Get started
We’ve seen many organizations fail to start their encryption projects − even when they have done the initial planning. A number of barriers such as a lack of commitment by senior management, lack of IT resources, and competing business objectives can delay the project. Don’t let your organization fall into this trap. Begin your first project and get it into production. Then analyze the project to determine how to do it better as you move forward.
Fortunately, there are many resources available today that were not available even 10 years ago. Good encryption solutions are available and affordable for traditional environments on-premises, for VMware infrastructure, and for cloud applications.
Assure Security can help your organization comply with cybersecurity regulations, such as 23 NYCRR 500, and strengthen IBM i security. For more information about cybersecurity compliance, read our eBook: Five IT Security Best Practices Derived from 23 NYCRR 500
New York Department of Financial Services: http://www.dfs.ny.gov/legal/regulations/proposed/propdfs.htm
Harvard Law School analysis of NYDFS: https://corpgov.law.harvard.edu/2016/09/24/nydfs-proposed-cybersecurity-regulation-for-financial-services-companies/