Just last month, the New York Department of Financial Services and Governor Andrew Cuomo announced a series of new rules strengthening cybersecurity requirements for financial firms in the state of New York. This is the latest in a series of announcement aimed at protecting clients, consumers and financial entities from the “ever-growing threat of cyber-attacks.”
These mandates are interesting because not only do they dramatically expand the categories of data to be encrypted (the current draft calls for the “encryption of all nonpublic information held or transmitted”), but because they tie it tightly to access control, acceptable usage policy, and data retention. In short, simple encryption won’t be enough to comply with the New York DFS regulations.
To comply, the following guidelines will help CFOs, CISOs, and firms facing these kinds of cyber-regulations assess, implement, and document their new security programs.
Seek more dynamic ways to protect data. It’s clear that firms will need to deploy more dynamic forms of data protection that extend beyond their current systems. When the requirement for encryption and data-loss protection spans not just records and managed systems, but anywhere data can travel, traditional means of encryption and monitoring can’t scale. Organizations will need to enforce granular limitations on access privileges, implement new audit systems to document data governance, and be able to remotely apply data disposition and destruction rules.
Tie access control and privilege management to identity. In a complex technology ecosystem, it’s no longer feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and unmanaged services, and provides a consistent way to set, audit, and control access to confidential information. Ultimately, encryption, access controls, and data-in-use protections must persist independent of the kinds of data protected, where it’s stored, or how it’s shared.
Prioritize solutions that balance simplicity with security. Too often, risk and security teams have simply added new solutions to their portfolio in response to regulations and enforcement. Unfortunately, this has often created a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. The downside of that is it creates incentives for otherwise well-intentioned people to avoid following policy, increasing the risk of a material breach.
Make audit an asset, not an also-ran. In the past, the requirement for an audit trail on data access was seen as an add-on. In the worst case, it was an afterthought, something built last as a reaction to risk and compliance needs. But, by thinking differently about this rich trove of data, you can improve your visibility into data use and your ability to identify dangerous behavior in advance. In many cases, you will be able to proactively stop data loss before it happens. With a strategy that protects data directly, by deploying identity-driven access controls and dynamic permissions, you can use the data from each user interaction to build a better picture of where data is traveling, and to whom.
In his remarks on the proposal, Governor Cuomo said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from … state-sponsored organizations, global terrorist networks, and other criminal enterprises.” Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world.
By taking a more dynamic approach to data protection, and adhering to these guidelines, you can be ready to assert to any auditor your ability to protect the confidentiality, integrity, and availability of your firm’s information.
Prakash Linga is the co-founder & CTO of Vera, a data security firm based in Palo Alto, Calif. In this role, he oversees all products and technology, and is responsible for developing the technical vision of the company.