In September, New York Governor Andrew Cuomo released the nation's first state-mandated cybersecurity regulations for banks and other financial institutions that reside in the state of New York. Fast forward to today, and financial firms are about to embark on a series of regulations put in place March 1 by the state Department of Financial Services, the National Association of Insurance Commissioners (NAIC), and the SEC, all aimed at protecting clients, consumers, and financial entities from the “ever-growing threat of cyber attacks.”
In the face of these new regulations, banks, hedge funds, insurers, and financial institutions must ensure client information, PII, investment strategy and all non-public information is safe and protected. The revised NY DFS proposal includes a few significant provisions that are very relevant to the office of the CISO and the CIO;, the most relevant are new requirements for access controls, encryption, and data loss prevention, and how security teams react and prepare.
What’s new? A focus on protecting data directly
Although the NY DFS cyber regulations build on earlier work by the SEC and the NAIC, there are four new and notable provisions that apply to protecting financial information. The new regs:
- Enforce the broad implementation of encryption
- Restrict access privileges to both systems and data
- Provide for the retention and “timely destruction” of non-public information
- Designate a qualified chief information security officer to oversee the implementation of these programs
These new regulations are notable because they dramatically expand the categories of data to be encrypted (the current draft calls for the “encryption of all nonpublic information held or transmitted”), and also tie them tightly to access control, acceptable usage policy, and data retention.
Here are four best practices security teams can begin on these requirements today.
1. Simple disk encryption isn’t enough
A driving force for the NY DFS is how often client information is shared “everywhere,” and how little control financial firms have over their data once it’s shared with third-party vendors. I’ve seen it first-hand. A leading New York hedge fund with over $20 billion in assets under management is constantly exchanging sensitive information with vendors that work outside financial firms. Lawyers, auditors, contractors, you name it. In my experience, it’s astonishing to see how very lax their procedures are for information that leaves the organization.
To comply, firms will need to implement protections beyond basic encryption at rest and in transit. They’ll need to find ways to enforce granular limitations on access privileges, implement new audit systems to document data governance inside and outside the firewall, and be able to remotely apply data disposition and destruction rules. It’s clear that firms will need to deploy more dynamic forms of data protection that extend beyond their current systems.
2. Access controls at the data-level
Ultimately, encryption, access controls, and data-in-use protections must persist with your information, independent of the type of data protected, where it’s stored, or how it’s shared. It’s no longer feasible to define access at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information.
Take for example, an influential asset manager in Manhattan. That manager must now secure all legal, HR, and financial data stored in its local file shares. In order to maintain strict data governance requirements, IT and security teams must ensure their security tools integrate with the fund’s Active Directory to assign rights and permissions to highly sensitive data, anywhere files travel.
3. Automate audit trails
In the past, the requirement for an audit trail on data access was seen as an add-on or an after-thought. The NY DFS requirements call for improved visibility into data use, and a way to track and log assess privileges and reconstruct transactions.
Consider a private equity shop in New York that now must track quarterly letters sent to its limited partners. This will entail logging all authorized and unauthorized access attempts to the data, including details such as how, when and whether their licensed partners opened their investor communications, or whether competitors or nonaccredited investors attempted to access its nonpublic information.
4. Retention and ‘timely destruction” of data
This is not just for data that’s located internally, but anywhere that data travels, which is critical for financial institutions that work with hundreds of third-party vendors. How many times have you heard of someone sending the wrong file to the wrong person? Or the M&A deal with company financials shared, downloaded and kept once the deal ends? Ultimately, giving owners of the data the ability to call back that data or kill access is paramount.
Exactly how does this apply in the real world? The mergers and acquisitions arm of a public banking entity must destroy its nonpublic information after the bank’s retention period expires. Access to all copies of the diligence materials, investor decks, financial models, accounting profiles, and audits are automatically destroyed, even if they’ve been moved to personal devices
Coming to a regulatory body near you
Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world. We’re already seeing international bodies like the EU Parliament seek to expand regulation and expectations for cybersecurity outward from financial services. And as we’ve observed time and time again domestically, the best practices and approaches adopted in the financial system quickly make their way out into less-regulated industries.