The New York State Department of Financial Services (DFS) cybersecurity requirements for financial services companies went into effect on Septembers 4 of this year. On the surface, it may look like these regulations only pertain to the state of New York – but in reality, they include any party who processes or is otherwise permitted access to Nonpublic Information of New York State origin. Simply put, if your financial institution does work for any New York resident, you may now be subject to this regulation.
One of the most prevalent provisions of this regulation comes from Section 500.11 Third Party Service Provider Security Policy (b)(2), which requires the "...use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest". Nonpublic Information (NPI) under this regulation pertains to all electronic information that is not publicly available, including but not limited to individual identifiers, health data, and financial data.
But what does data encryption really mean?
Not all data encryption is equal; and unlike other security measures, it’s not as simple as turning it on and off. Let's geek out a bit and cover several types of encryption available today:
- Hash – Verifiable but not reversible, typically used for passwords. Example: SHA512
- Symmetric – Uses the same key for both encryption and decryption, typically used for databases and local files. Example: Rijndael (AES)
- Asymmetric – Uses a public key for encryption and a private key decryption, typically used for cross party encryption. Example: RSA
- Signature Verification – Uses Asymmetric encryption to verify the sender is authentic, typically used for SSL Certificates.
Along with these types, there are also a wide array of encryption options available based on the type of data being encrypted, cost, and availability requirements, including:
- Windows File Encryption
- Volume Encryption (either via self-encrypting or employing commercial products such as BitLocker)
- Database Encryption (i.e. TDE, Always Encrypted)
- Commercial Data File Encryption Software / Hardware (such as Vormetric or other commercial platforms)
- Application Encryption
Effective data encryption is more than checking an option box. It takes planning and often expertise from internal IT and compliance, application vendors and third parties processing the data, as well as commercial platforms and resources. Prior to beginning, it is a good idea to consider:
- Performance impact to existing hardware/software infrastructure
- What should be encrypted
- Non-public vs. public information
- Data combinations that can cause public information to be considered private
- Data integrity and applicable access