The deadline for the 18-month transitional period of the NYDFS Cybersecurity Requirements has passed, but there is still time to achieve compliance with 23 NYCRR 500. We’ve covered four out of the five requirements in previous blogs: audit trails, application security, limitations of data retention, and training and monitoring. The last one is 500.15: Encryption of Nonpublic Information.
Encryption of Nonpublic Information requirements
Requirement 500.15 mandates that organizations implement controls, including encryption, based on a risk assessment to protect non-public information that has been held or sent over external networks by the organization.
If the organization finds that encryption of this information is infeasible, it can secure it using other effective controls. The organization’s CISO must approve these controls and review their effectiveness at least annually.
There’s still time to comply
The NYDFS doesn’t provide much information on exactly how organizations should comply with the regulation. Fortunately, most of its requirements align with the best practices described in ISO 27001, so organizations can use the Standard as the basis for their NYDFS Cybersecurity Requirements compliance project.
You will need to perform a risk assessment to meet many of the NYDFS’s requirements. If you haven’t yet conducted one, you might be interested in vsRisk™. The tool helps simplify the risk assessment process, providing a simple and fast way to identify relevant threats, and delivering repeatable, consistent assessments year after year.