NYDFS Cybersecurity Regulation

Thales eSecurity can help your organization comply with New York State Cybersecurity Requirements for Financial Services Companies

Americas Map

Regulation

Active now

New York State Cybersecurity Requirements for Financial Services Companies Compliance

The New York State Cybersecurity Requirements for Financial Services Companies, or 23 NYCRR Part 500, took effect March 1, 2017. Covered entities “will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations.”

Key dates are:

  • March 1, 2017 - 23 NYCRR Part 500 becomes effective.
  • August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500. [This is where encryption and monitoring of authorized users goes into force.]
  • March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

Thales eSecurity provides many of the solutions you need to comply with these requirements.

Regulation Summary

New York State’s Department of Financial Services Cybersecurity Requirements for Financial Services Companies regulation:

Is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.1

We excerpt below specific Sections of 23 NYCRR Part 500 with which Thales eSecurity can help your organization comply:

Section 500.06 Audit Trail

Each covered entity shall … include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

Section 500.07 Access Privileges

As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.

Section 500.08 Application Security

Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment.

Section 500.11 Third Party Service Provider Security Policy

Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.

Section 500.14 Training and Monitoring

As part of its cybersecurity program, each Covered Entity shall … implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users….

Section 500.15 Encryption of Nonpublic Information

As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.

Compliance Summary

Thales eSecurity can help you meet the many of the requirements in 23 NYCRR Part 500 through the following:

Section 500.06 Audit Trail

Thales eSecurity’s Vormetric Data Security Platform includes Security Intelligence Logs that generate audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the enterprise.

Section 500.07 Access Privileges

Thales eSecurity’s Vormetric Data Security Manager enables the organization to limit user access privileges to Information Systems that provide access to Nonpublic Information.

Section 500.08 Application Security

With Thales eSecurity’s Vormetric Application Encryption your organization can encrypt specific files or columns in databases, big data nodes, and platform-as-a-service (PaaS) environments. The application encryption solution features a set of documented, standards-based APIs that can be used to perform cryptographic and key management operations in your technology ecosystem.

Section 500.11 Third Party Service Provider Security Policy

Thales eSecurity can work with you and your third-party service providers to ensure their security meets your own rigorous standards. In addition, Thales has specialized cybersecurity products and services for enterprises using the Cloud, SaaS and other third-party services. These include multi-cloud encryption with centralized key and access control management as well as cloud key management and protection.

Section 500.14 Training and Monitoring

Thales eSecurity’s Vormetric Transparent Encryption delivers Security Intelligence Logs that let your organization identify unauthorized access attempts, as well as to build baselines of authorized user access patterns. Vormetric Security Intelligence completes the picture with pre-built integration to leading Security Information and Event Management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts, and all the data needed to build behavioral patterns required for identification of suspicious use by authorized users.

Section 500.15 Encryption of Nonpublic Information

Thales eSecurity’s Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

In addition, Thales eSecurity’s Datacryptor 5000 network data encryption solution uses high-assurance encryption methods and state of the art key management techniques to provide robust security, low latency and high performance in Layer 2 and IP networks.

Compliance Brief : Comply with the NY DFS Cybersecurity Regulations (23 NYCRR Part 500)

The NY DFS cybersecurity regulation (23 NYCRR 500), which went into effect in March, 2017, requires covered entities to implement and maintain cybersecurity controls according a detailed timeline. This includes data encryption and authorized user monitoring by September 3, 2018. Download the compliance brief to learn more.

Download

Research Reports White Papers : Vormetric Data Security Platform White Paper

As security teams struggle to contend with more frequent, costly, and sophisticated attacks, data-at-rest encryption becomes an increasingly critical safeguard. This white paper offers an overview of the different encryption approaches available today.

Download

Data-Sheets : Datacryptor 5000 Series Multilayer Encryption

The Datacryptor 5000 Series is a family of high-speed data in motion security platforms that deliver high performance encryption at near zero latency.

Download

Brochures : nShield HSM Family Brochure

The Thales nShield family of general purpose hardware security modules (HSMs) enhances the security and performance of server-based applications that handle your most sensitive data.

Download

1https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf

Other key data protection and security regulations

NIST 800-53 / FedRAMP

Americas Map Thumbnail

Mandate

Active now

Since June 5, 2014 federal agencies have been required to meet FedRAMP standards, ensuring they meet internal data security standards and extended security controls for cloud-computing.

Learn More

HIPAA

Americas Map Thumbnail

Regulation

Active now

These regulations cover healthcare information in the US, HIPAA relates to protection; encryption, key management. etc and HITECH relates to disclosure of data breaches.

Learn More

SOX

Americas Map Thumbnail

Regulation

Active now

United States Federal Law setting standards for a range of US companies, SOX Act sections 302 and 404 relate directly to data protection.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook
Visionner notre démo interactive Explorer
Programmer une démo en direct Programmer
Entrer en contact avec un spécialiste Nous contacter