Compliance Check: NYCRR 500 Phase 3
We're now three quarters of the way through New York's two-year-long implementation of its cybersecurity law for financial services companies.
The first law of its kind in the US, NYCRR 500 sets best-practice cybersecurity requirements for all banks, mortgage companies, insurance companies, and other organizations that do business in New York. The requirements are being phased in between March 1, 2017 (when the law first took effect) and March 1, 2019.
As of September 2018, organizations licensed by the New York DFS must comply with some of the law's most significant provisions. Here's a quick look at the provisions that took effect at the end of the third transitional period, and how Smartcrypt can help meet each of the requirements:
- Audit trails (section 500.06): Requires that covered organizations maintain (and secure) information on financial transactions and security events.
How Smartcrypt can help: Smartcrypt's Data Security Intelligence capabilities allow administrators to view and export detailed information about every action taken on files that contain sensitive data, including discovery, classification, encryption, and decryption. Audit logs can be viewed in real time and picked up by SIEM technology or other tools.
- Application security (section 500.08): Requires specific procedures to ensure the security of applications developed in house or by third parties.
How Smartcrypt can help: Smartcrypt Application Encryption. allows organizations to build strong, persistent encryption into applications with only a few additional lines of code. Companies can use Smartcrypt to secure structured and unstructured data, and can maintain data length and format in specific database columns.
- Limitations on data retention (section 500.13): Requires secure disposal of data that is no longer needed for legitimate business purposes.
How Smartcrypt can help: Smartcrypt takes policy-based actions on files across the entire enterprise. By using Smartcrypt’s data discovery and classification capabilities, organizations can define deletion criteria and automatically delete files that are no longer needed.
- Training and monitoring (section 500.14): Organizations must "implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, nonpublic information."
How Smartcrypt can help: Administrators can use Data Security Intelligence to see which files users are accessing and what changes they are making to file classification or protection options.
- Encryption of nonpublic information (section 500.15): Organizations are required to protect sensitive information at rest and in transit with encryption or equivalent levels of protection.
How Smartcrypt can help: Smartcrypt protects sensitive information with strong encryption that remains with data at rest, in use, and in transit. Persistent encryption ensures that only authorized users can access data, even in the event that the data is lost or stolen.