Meet New York DFS Cybersecurity Requirements

23 NYCRR 500 is a set of cybersecurity requirements that apply to organizations licensed by the New York State Department of Financial Services. The requirements take a broader approach to cybersecurity than any previous US law, establishing minimum standards for risk assessments, policy creation, access control, data protection, and other security activities.

PKWARE delivers a wide range of data compliance capabilities, providing visiblity and control over sensitive data across the enterprise and helping financial services organizations meet their regulatory obligations.

Background: New York Cybersecurity Regulations

The New York law, commonly called NYCRR 500 or DFS 500, was issued in March 2017 and took full effect in March 2019. Covered entities are required to establish formal cybersecurity programs and document their cybersecurity policies, in addition to meeting several other requirements:

  • Conduct cybersecurity risk assessments
  • Ensure the security of their applications
  • Implement data protection methods, including encryption
  • Use appropriate controls to limit access to sensitive information
  • Notify the New York DFS within 72 hours of a cybersecurity event

In addition, the law indirectly establishes rules for third party service providers that have access to covered entities’ nonpublic information. Covered organizations are required to develop third party security policies that will effectively apply many 23 NYCRR 500 mandates to service providers who are not licensed by the New York DFS. Depending on its business activities, an organization may be both a covered entity and a third-party provider under the law.

Meet NYCRR 500 Requirements with PKWARE

PKWARE’s data security platform takes an automated, rules-based approach to data protection, enabling financial services organizations to enforce NYCRR 500 requirements in real time, even on data that exists outside the controlled database environment. Files on servers, laptops, and desktops are scanned each time data is created or modified, making it essentially impossible for data to exist in violation of company policy.

The PKWARE platform includes solutions for a wide range of use cases, including secure data exchange, encryption for data at rest, data classification, and securing proprietary applications.

Requirement: Risk assessment

Section 500.09

Solution: In order to protect its data, an organization must first understand how much information it has and where the information is located. PKWARE's data discovery feature enables organizations to detect sensitive information on end user devices and in network storage locations. PKWARE agents can be configured to detect data based on each organization’s unique needs and business processes.

Requirement: Encryption of nonpublic information

Section 500.15

Solution:PKWARE applies strong data-level encryption to sensitive information, ensuring that the data remains inaccessible to unauthorized users, even if stolen or mishandled. With simplified key management and cross-platform operability, PKWARE is the only company that facilitates true enterprise-wide encryption.

Requirement: Application Security

Section 500.08

Solution:PKWARE's software development kit that allows organizations to incorporate strong encryption into their existing applications with only a few additional lines of code. Encryption can be applied to structured and unstructured data.

Requirement: Audit trails and activity monitoring

Section 500.06 and Section 500.14

Solution: The PKWARE Enterprise Manager facilitates complete administrative control over encrypted information. Access control lists determine who is authorized to decrypt protected information, while PKWARE’s Data Security Intelligence tools provide full reporting on every encryption and decryption operation.

Requirement: Third party security policies

Section 500.11

Solution: Smartkey technology allows organizations to exchange sensitive information with third parties securely and easily. Third-party access privileges can be granted or revoked at any time without the need for re-encryption.