The US Labor Day weekend won’t be a happy one for some cybersecurity compliance, technology and operations managers at New York-based banks.
They will likely be scrambling to successfully implement the third phase of New York’s onerous cybersecurity rules, effective September 3. Among the multitude of tasks to complete under 23 NYCRR 500 encrypting data and deciding which data to keep or destroy are giving chief information security officers (CISOs) and their colleagues the most angst, a dozen bank cybersecurity managers tell FinOps Report. “We are expecting some last minute decisions and lots of paperwork documenting them,” says one cybersecurity director at a New York bank.
New York’s first-in-the-nation cybersecurity regulation became effective March 1, 2017, but its implementation is staggered until 2019 to give banks, insurance companies and any other financial firms doing business in New York and overseen by the New York Department of Financial Services (NYDFS) enough time to get ready. New York’s rules are widely considered to be far more rigorous than those of the overlapping Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Securities and Exchange Commission and Commodity Futures Trading Commission. “While New York’s prescriptive approach takes some of the guesswork out of determining how firms should tackle data security, some of the requirements increase the compliance burdens, particularly for small to mid-sized firms,” says Joseph Facciponti, a partner in charge of the cybersecurity practice at the law firm of Murphy & McGonigle in New York.
New York’s rules don’t indicate how penalties will be calculated for non-compliance and the NYFDS has not responded to industry requests for clarity. However, there is plenty of impetus for financial firms to pay attention. “On an annual basis organizations have to submit a compliance certificate certifying compliance with the regulations,” write Simon Hill, legal counsel for encryption software provider Certes Networks in Pittsburgh in a company blog. “This means that individuals within an establishment will have ownership and accountability for compliance which will drive proactive behavior.” Based on their interpretation of bank laws, compliance managers also predict fines could easily come to US$500,000 for each week a bank fails to implement the rules.
New York’s cybersecurity rules do give financial firms some flexibility in determining whether to encrypt data. CISOs can decide to rely on “effective alternative compensating controls” instead. However, as Facciponti cautions, determining which controls are available and deciding whether the NYFDS will consider them effective may cause as much of a headache as doing the encryption itself.
As of the first implementation deadline of August 2017, financial firms were required to implement a cybersecurity program overseen by a CISO. The second implementation deadline in March 2018 called for firms to meet several technical requirements including multifactor authentication and periodic penetration testing. CISOs also had to deliver an annual report on their cybersecurity program to their board of directors.
The September 3 requirements include creating an audit trail to reconstruct material financial transactions to support operations in the event of a data breach and developing cybersecurity policies for new applications. Yet data encryption, storage and destruction are causing far more angst because financial firms might not have thought of encrypting — or encoding — their data so that it is unaccessible to hackers or unauthorized users. The sheer volume of data located in so many on-site and off-site applications will require financial firms to complete an entire data governance program. Firms will then need to justify which data they keep and which they destroy.
“Knowing where personal data is stored is always a challenge,” says Joanna Fields, managing principal of Aplomb Strategies, a Chicago-based firm specializing in regulatory compliance. “CISOs are generally not aware of all the locations which range from in-house applications to personal devices and third-party cloud applications.”
Although most financial firms will likely want to pass much of the workload of complying with New York’s cybersecurity rules to their CISOs, Fields recommends that IT and other departments also step up to the plate. “The biggest mistake financial firms can make is leaving all the decisions up to the CISO when other department should be involved as well,” she says.
IT departments need to identify all the locations of data and how it is transferred so that an encryption plan for data at rest and in motion can be implemented. That task includes doing an inventory of trading systems, trade flows and user access. Data at rest includes spreadsheets, back-up data, and data stored in the cloud while data in transit refers to emails and data which pases through analytic programs. Data in motion is far harder to encrypt especially while moving from an internal network to an external one. However, data at rest is usually far more valuable so relying on legacy perimeter-based solutions often leaves data exposed, say cybersecurity experts.
While the evaluation and ultimate encryption process is completed, compliance and legal departments also need to develop appropriate guidelines on who can access which type of data and when. Human resource departments must continually update IT departments on new, transferred and departed employees. One of the biggest risks to a cybersecurity program is the use of uauthorized and expired passcodes. “Each employee needs to be aware of how to keep data secure and how to escalate news of any potential or actual risk when it occurs.” says Fields.
Managing Those Keys
Encrypting data alone isn’t enough to protecting critical consumer and company information. Firms also need to establish standards for managing private keys, or codes which give authorized users access to information necessary to run an operation. “Controlling and maintaining data encryption keys is an essential part of any encryption strategy because having the keys gives a cybercriminal the ability to return encrypted data to its original unencrypted state,” say Fields. “Key management involves separating keys from data for increased flexibility, having multiple keys for the same data, the same key for multiple files, key destruction and key replacement.”
Ultimately, financial firms have to decide how much data is worth worrying about. “Its a lot harder to identify the data that must be kept and must be deleted than one would think,” says Tim Ryan, US cybersecurity investigations leader for EY’s forensics and integrity services practice. “In some instances, the data must be retained due to state and regulatory requirements rather than business needs.”
What happens when data is located with third-party vendors? The financial firm then has to work with the external service providers to create a cybersecurity retention and destruction plan, says Ryan. Such a strategy will go a long way to helping firms meet the final March 2019 deadline for creating and applying security policies to third parties accessing their data.
In the meantime, Facciponti suggests, financial firms should also make certain they don’t fall afoul of Europe’s overlapping General Data Protection Regulation (GDPR). The newly effective legislation, which applies to New York-based financial firms with offices in Europe or marketing retail European investors, also cites encryption as a way for firms to protect personal data. What’s more, as part of a comprehensive cybersecurity program firms must give retail customers the right to request their personal data be erased.