Compliance with security and privacy requirements is difficult. Compliance with a number of different regulations, some geographic, some industry-specific, can seem almost impossible. And when a new, large-scale requirement, like New York’s new cybersecurity regulation for the financial industry, shows up, compliance stress can become extreme.
Within the finance industry, there are a number of different regulations to comply with already, including the data security portions of the Sarbanes-Oxley Act (SOX) and the Gramm-Leach-Bliley Act, as well as many state-specific regulations.
Announcement of New York’s New Cyber Security Regulation
In September 2016, the New York State Department of Financial Services (DFS) proposed a new cybersecurity regulation, 23 NYCRR 500 (PDF), to apply to financial services companies that are licensed or operate in New York State, including bank and trust companies, insurance companies, brokers, mortgage lenders, charitable foundations, and other financial services providers. It is the most detailed and comprehensive regulation ever applied to the financial sector.
Though many large financial organizations operate in New York, the regulation does not apply to nationally chartered institutions. But, as Governor Andrew Cuomo stated when announcing the regulation, this is a “first-in-the-nation” regulation, and will probably serve as a model or starting point for regulations in other states, or nationally. It is worth paying attention to.
Reaction to the Initial Proposal
During the comment period following the September announcement there was a strong response from the financial community, and significant pushback from regulated entities, much of it urging a more risk-based guideline approach, such as that in the National Institue of Standards and Technology (NIST) cyber security framework. And the regulation has been revised to be more flexible in many areas of concern, such as policies governing third-party service providers, the definition of what they call “nonpublic information”, and the role of the new required Chief Information Safety Officer (CISO).
Originally planned for January 1, the new regulations are now scheduled to go into effect on March 1, 2017, with a six-month transition period, with some specific exceptions.
Watch This Regulation Carefully
All financial institutions should be prepared to follow many of the requirements of this regulation, even if they are not subject to New York laws, because the regulations you eventually will be required to comply with will most likely be based on 23 NYCRR 500. At the least, they should understand the requirements of that regulation in detail, watch carefully how businesses respond to it, and watch the progress of legislation in their own regions to anticipate compliance requirements.
MFT Supports Adapting to New Regulations
Complying with a range of different requirements is not only administratively challenging, but also technologically complex. A good Managed File Transfer (MFT) system can carry a lot of the load, by providing encryption for data at rest and in-transit, end-to-end visibility of the file transfer process, and robust logging capabilities to simplify the audit process.
An MFT’s authentication and authorization controls protect sensitive data from being viewed by unapproved parties. It provides administrative control over who can initiate a transfer, what file types can be transferred, and can define file access expiration rules for added security.
Control over logging and reporting simplifies the audit process and assures the integrity of the audit trails. The MFT system also assists in establishing clear encryption standards to protect data in motion.
Implementing a robust MFT solution will make complying with New York’s new regulation, or future regulations based on it, significantly easier.
There is no better time to prepare than right now.