The cybersecurity regulation (23 NYCRR 500) adopted by the New York State Department of Financial Services (NYDFS) is nearly two years old. The 2017 bill, the first of its kind, will be fully implemented as of March 1st, 2019. Leading up to that date, companies have had to meet several milestones including hiring a CISO, encrypting all its non-public consumer data and enabling multi-factor authentication. Even though these regulations only apply to New York, financial institutions across the U.S. need to take note as these regulations will likely pop up in other states sooner than later.
September Checklist, March Reminder
In September financial services companies faced the largest set of regulations in the process thus far. Audit trails, application layer security, authorized user monitoring, data retention limits and encrypting all non-public data must have been accomplished by September 3rd. Measures like these, once referred to as security “best practices” have moved from “nice to have” to “you better have.” Audit trails are a particularly important regulation for banks, allowing for a clear view of access to the sensitive data frequently targeted by threat actors. Application layer security ensures secure development practices for in-house developed applications. Authorized user monitoring provides accountability of who in the institution has access to what nonpublic information. Finally, data retention restrictions and encryption limit both the availability and accessibility of nonpublic information. Encryption especially is the last line of defense in the event the company is ever breached.
In addition to the regulations enforced in September, financial companies need to have their eye on the finish-line in March. The last leg of total compliance is to “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” This step ensures that entities doing business with New York licensed financial service companies are taking the same protective measures with customer and company data. As the saying goes, “you’re only as strong as your weakest link” and in New York your security is only as strong as who you are doing business with.
Looking Ahead to 2019 and 2020
Given New York’s status as the nation’s center of finance, it isn’t unreasonable to predict that other states will follow suit. And similar regulations are likely to spread through other companies and industries that have access to or retain customer data. After all, attackers are targeting sensitive data wherever it may reside, not just financial companies registered in New York.
Because of this, 2019 and 2020 will likely see a significant uptick in data privacy regulations. California’s Consumer Privacy Act will take effect on Jan 1, 2020, data privacy legislation has been introduced in at least two dozen other states, and recurring high-profile data incidents mean that more regulations will be hard to avoid.