New York state has made history as the first state to enact a set of cybersecurity regulations for all entities who do business with the state. The regulations that first took effect in March this year (23 NYCRR Part 500) are now mandatory starting August 28th. These regulations now require all banks, insurance companies, mortgage brokers and other financial institutions to establish written policies annually that describe how they penetration test their networks, assess software vulnerabilities, train their employees in cybersecurity awareness, etc. It requires all organizations that must comply with the regulation to establish a Chief Information Security Officer (CISO) to oversee all security related training, activities, and implementation of the cybersecurity policy.
The regulation also establishes requirements for encryption of sensitive data, both within the network and during communication:
Section 500.15, “Encryption of Nonpublic Information,” requires each
Covered Entity to implement controls, including encryption, based on the
Covered Entity’s Risk Assessment, to protect Nonpublic Information held
or transmitted by the Covered Entity both in transit over external networks
and at rest. This section allows for the use of effective compensating
controls to secure Nonpublic Information in transit over external networks
and at rest if encryption of such is infeasible. Such compensating controls
must be reviewed and approved by the Covered Entity’s CISO. To the
extent that a Covered Entity is utilizing compensating controls, the feasibility
of encryption and effectiveness of the compensating controls shall
be reviewed by the CISO at least annually.
It’s evident that New York State is taking the recent spike in highly publicized ransom-ware attacks, data leaks, and other cyber attacks extremely seriously. But this not only affects the operations of organizations registered in the state. It is a requirement for ALL entities that do business in the state, even if they are registered out-of-state, or even out-of-country. Similar to the upcoming GDPR regulations put out by the EU, these regulations are expected to have wide-ranging effects rippling across the US. It is very likely that many other states are likely follow suit and enact similar cybersecurity regulations, which may lead to a consolidated set of federal regulations in the not to distant future.
GlobalCerts can serve an integral role in helping your organization comply with the regulations set forth in 23 NYCRR Part 500. Our SecureMail Gateway solution can help by protecting your non-public information as it leaves your network through email, one of the most common sources of data leaks. The integrated DLP technology can be configured to automatically detect private information leaving your organization through email and automatically encrypt it, block it or notify your Information Security (IS) department. Contact us today to find out how easy we make it to comply with this and other cybersecurity regulations.
Summary of Regulation Sections: https://docs.dos.ny.gov/info/register/2017/march1/pdf/Rule%20Making%20Activities.pdf
Press Release from NY State: http://dfs.ny.gov/about/press/pr1708281.htm
Full text available here: http://dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf