Back in 2017, the New York State Department of Financial Services (NYSDFS) brought forward a cybersecurity regulation aimed at the financial industry. The GDPR-like regulation includes incredibly strict requirements for reporting data breaches and limiting data retention.
There are a few commonalities with the NYDFS Cybersecurity Regulation and other well-known regulations, including controls for data security, risk assessment processes, security policy documentation and the appointment of a CISO.
The objective of this regulation, as with other similar regulations, is to ensure that sensitive information (personally identifiable information, or PII) is protected.
What is the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities.” What this essentially amounts to, is a requirement for a risk assessment to be conducted and used to implement a proactive and sophisticated security strategy. Security strategies should be set up in three stages; detection, prevention and response.
The NYDFS Cybersecurity Regulation focuses on financial services companies in the State of New York. Covered entities include but are not limited to banks, insurance companies, mortgage brokers, lenders and credit unions. There are some notable exceptions to the covered entities. If your company has fewer than 10 employees, turns over less than $5,000,000 in gross annual revenue or ahs less than $10,000,000 in year-end total assets, then you may be exempt.
How the NYDFS Cybersecurity Regulation Works to Protect Sensitive Data
If you are a large financial organization in New York, then it’s likely you already fall under another compliance regulation like PCI-DSS or SANS CSC 20. If that is the case, then you probably are already enforcing the security practices and policies that are required by the NYDFS.
Some of the policies and practices you will need to look into if you want to achieve and maintain NYDFS compliance include data classification, data access governance, user behavior analytics, change auditing, incident response and data recovery.
By requiring the designation of a CISO, the NYDFS highlights its objectives as a method of maintaining data security and data privacy. Organizations with active CISOs are usually better equipped to create and sustain security strategies that ensure the protection of PII.
What Are the Requirements of the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation requires covered entities to undertake the following actions:
- Maintain an Audit Trail – Ensure you record and respond to any suspicious, unwanted or unauthorized events in your environment that relate to sensitive data. Audit trails will have to be maintained for a period of five years (Section 500.06).
- Govern Access to Sensitive Data – Ensure you implement and maintain a policy of least privilege where access to PII is restricted to only those employees requiring permissions. These permissions should also be reviewed regularly (Section 500.07).
- Run Regular Risk Assessments – These should be run at a minimum of once per year but preferably far more regularly. Risk Assessments should be used to highlight areas of weakness and assess the current state of data security (Section 500.09).
- Limit Data Retention – PII that is no longer necessary for business operations or for any other legitimate purpose must be properly disposed of. The disposal of this data must be prompt and the process must be watertight (Section 500.13).
- Develop an Incident Response Plan – An internal plan for detecting and responding to cybersecurity incidents must be developed, tested and implemented (Section 500.16).
- Notify Authorities Within 72 Hours of a Breach – You must make sure you notify the NYFS within 72 hours of a breach that affects sensitive data and has a reasonable chance of harming those involved.
How Lepide Can Help with NYDFS Cybersecurity Compliance
The Lepide Data Security Platform is designed to help organizations improve data protection, meet compliance and detect/respond to threats. As a result, Lepide is well equipped to achieve and maintain NYDFS Cybersecurity Compliance.
Implementing a Cybersecurity Program (Section 500.02)
Lepide can help you develop a data protection program that focusses on protecting PII within your environment. Using Lepide, you can identify and classify PII, determine who has access to it (and spot excessive permissions), analyze user behavior and report and alert on anomalies/threats.
Audit Trail (Section 500.06)
Lepide provides users with a single platform to manage risk and implement data protection strategies. Built in reports enable you to search through an audit trail of events to investigate breaches. These reports provide key audit data, including who, what, when and where information, in an easy to read format.
Data Access Governance (Section 500.07)
With Lepide, you can identify which users have access to PII so that you can maintain appropriate access rights. Ongoing permissions analysis helps you to spot changes to permissions that may affect your least privilege position. You can even spot which users have excessive permissions so that you can revoke them.
Risk Assessment (Section (500.09)
The Lepide Risk Assessment dashboard gives you an overview of the critical areas of risk in your environment. Information on the amount of PII you store, where it is stored, who has access to it and what users are doing with it is all displayed on one intuitive dashboard. Lepide can also provide a completely free, turnkey risk assessment report that highlights current active threats in your critical environment.
Monitoring Data interactions and Incident Response (Sections 500.14 and 500.16)
Lepide actively monitors user behavior, including file copies, deletes, moves, renames, modifications and more. Unusual or unwanted modifications can trigger a real time alert to ensure the CISO has visibility over current threats.
Lepide can also help you respond to active threats in your organization by automatically triggering a script on alert. Scripts can be used to stop a ransomware attack, isolate a particular user or server and mitigate the damages of an attack in process.