New York State's New Cybersecurity & Encryption Requirements
On March 1, 2017, the New York State Department of Financial Services (DFS) made effective its Cybersecurity Requirements for Financial Services Companies (Full PDF: 23 NYCRR Part 500).
DFS issued its cybersecurity regulations in response to the mounting threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. In passing the regulations, DFS staff underscored the significant financial losses, to both companies and consumers, that can be caused by cybercriminals who are able to exploit technological vulnerabilities to gain access to sensitive electronic data.
DFS designed its cybersecurity regulations to 1) match the relevant risks and keep pace with technological advances, and 2) promote the protection of customer information as well as the information technology systems of regulated entities.
The cybersecurity regulation requires each company to assess its specific risk profile and design a program that addresses those risks. The regulations also put senior management on notice to take the issue of cybersecurity seriously and makes them ultimately responsible for organizational cybersecurity, including the requirement to file annual certifications.
One particularly noteworthy aspect of the cybersecurity regulation is the requirement to encrypt nonpublic information. Section 500.15 obligates companies to encrypt information in transit and at rest. The section is quite proscriptive, requiring encryption of data held on any device, on and off premises, and in public or private clouds.
When DFS proposed the cybersecurity regulations, many companies pushed back on the encryption requirements, arguing that encryption of all data at rest was unnecessarily restrictive. All companies subject to DFS jurisdiction, however, must be in compliance with Section 500.15 by September 2018.
In a recent study conducted by Thales, 74% of respondents said they either partially or extensively deploy public cloud encryption, 42% will only use keys they control for data at rest encryption, and 43% have an encryption strategy applied consistently across their enterprise. The study further revealed that changing encryption strategies are being driven by increased cloud use and accelerated compliance initiatives. One thing is certain, there is no question that encryption, including of data at rest, is the norm. Although encryption of data at rest once enjoyed a nice to have status, it is now a best practice expected by customers and regulators alike.
Atakama's encryption solution enables companies to comply with DFS’s encryption rule, and any other similar rules under consideration by other regulators, without causing any unnecessary restrictions or disruptions to existing workflows. We developed Atakama with the goals of 1) convenience – no passwords or access codes; users can freely access, share and search files, 2) effectiveness – each file is encrypted with its own private key, and 3) compatibility – seamless integration with all major operating systems. Atakama is indeed a feasible solution that promotes the effectiveness of DFS’s requirement for encryption of data at rest.