Businesses are obligated to protect sensitive data not just for the security of their operations and customer’s privacy, but also to stay aligned with evolving data protection laws and regulations. New regulations are coming into effect all the time. New York has implemented the New York State Department of Financial Services’ (NYDFS) Cybersecurity Requirements for Financial Services Companies, also known as 23 NYCRR 500.
As the threat landscape escalates, keeping pace with regulations like NYCRR 500 is not just about compliance but a step towards bolstering your organization’s defenses against potential data breaches and financial system threats.
In 2017, the State of New York Department of Financial Services took a bold step and introduced a comprehensive set of cybersecurity requirements for financial institutions operating under their jurisdiction.
These requirements, outlined in Title 23 of the New York Codes, Rules, and Regulations Part 500, or simply NYCRR 500, represent another milestone in securing customer data and IT systems of financial institutions.
Under this recent state regulation, supervised entities are mandated to assess their cybersecurity risk profiles and deploy a comprehensive strategy that acknowledges and mitigates their risk. To help organizations prevent data breaches, specific regulatory minimum standards have been established.
Here are the key high-level data security requirements for financial organizations:
Concentric’s AI-based solution helps organizations in the financial industry meet the stringent requirements of NYCRR 500.
While the general requirements outlined above are quite broad, it’s more prudent to explore some of the more specific NYCRR 500 requirements and how Concentric can help you stay compliant.
Limiting Access to Information Systems
One of the key components of NYCRR 500 is limiting access to information systems that contain private data. Concentric enables you to easily manage access controls, ensuring that only authorized individuals have access to sensitive data — no matter where it resides: in the cloud, on premises, in structured or unstructured format. You can mitigate these access risks as they happen, whether it’s fixing access control issues or permissions, disabling sensitive file sharing with a third party, or blocking an attachment on a messaging service.
Implement policies and procedures to ensure the security of information held by third-party service providers
NYCRR 500 also mandates that businesses implement policies and procedures to secure data held by third-party service providers. Concentric’s multifaceted approach of classifying data, assessing risk and managing access controls goes a long way in helping you secure data held by a third party.
By accurately classifying financial data based on its sensitivity and importance, you can clearly define policies in which only the appropriate data is shared with each third party, following the principle of least privilege.
When it comes to data risk, Concentric can identify potential risks associated with data sharing, such as inappropriate access or sharing permissions.
Concentric securely scans unstructured data wherever it’s stored. We support Office365, Slack, Microsoft Teams, Snowflake, e-mail, Amazon S3, OneDrive, Google Drive, Box, Dropbox, SharePoint Online, Windows file shares, PostgreSQL, MySQL, and more. With continuous autonomous monitoring, Concentric ensures your data is constantly protected and compliant.
Data Retention and Deletion Policies
With Concentric, you can deploy data retention and deletion policies that comply with NYCRR 500. By identifying the type of data and its associated sensitivity level, you can pinpoint any relevant data that is subject to specific retention and deletion policies wherever it lies.
Because our solution is always measuring risk, you can highlight instances where data retention and deletion practices deviate from established norms, which can highlight potential non-compliance or data security risks.
Equally important, Concentric can also help organizations with data lifecycle management and managing data lineage. You’ll easily be able to manage all versions of your sensitive financial data and pinpoint which iterations are newer and which are older. Plus, you’ll have a clear view of where each variation of all sensitive financial data resides across your repositories — whether it’s in the cloud or on-premises, structured or unstructured.
Monitoring User Activity and Detecting Unauthorized Access
Continuously monitoring data for risk is not only difficult but time-consuming for IT and security teams. As adherence to data protection laws like NYCRR 500 becomes the norm, the resources required to write complex rules and deploy policies on-the-fly can be overwhelming.
With Concentric, you can autonomously discover how your sensitive financial data is being used, who it is being shared with, and who accessed it. You can quickly and accurately identify risk from inappropriate permissioning, risky sharing, unauthorized access or potential data misuse.
Not only that, but you can also detect any deviations from normal data usage patterns, including unusual or unexpected data access. Unauthorized access can be remediated in real-time, enabling quick incident response to mitigate potential damage.
Easy to deploy without using rules or regex
What’s truly remarkable about everything we’ve discussed here is that Concentric can reduce risk and protect your sensitive data, we enable you to do this all without upfront policies, rules or regex, and deploying the solution won’t require large teams to operationalize.
Want to see for yourself, with your own data, how Concentric can help you with NYCRR 500 compliance? Book a demo today.
Artificial intelligence (AI) has achieved remarkable advancements over the last few years, with examples like ChatGPT dominating recent headlines. Large...
The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized set of policies and procedures designed to...
As more organizations adopt remote or hybrid work arrangements, cloud infrastructure provides the comprehensive flexibility and productivity gains required to...
The Sarbanes-Oxley Act (SOX) of 2002, a U.S. federal legislation, was created to protect investors by increasing transparency in financial...
GDPR and CCPA are significant data protection legislations that require businesses to reassess the way they manage consumer data. While...
What is the NIST Cybersecurity Framework? What you need to know The NIST Cybersecurity Framework is a voluntary guide based...