New York State puts the hammer down on cybersecurity for financial services – with global implications!

If you are a financial services firm operating in New York State as of March 1, 2017 your world has changed. Even those not operating in New York and not in financial services should pay close attention. Rules promulgated in New York have a way of spreading worldwide when it comes to financial services and public companies. I predict these rules will become standard for any company listed on the NYSE or Nasdaq eventually and from there to all public companies worldwide. The link to the rules is HERE.

There is a lot of implications in these rules. I will focus on just a few related to Evizone’s specialty of electronic communications in order to encourage you to read the rules and think about what it means for your business. The rules require (among many other things):

  • Encryption of Nonpublic Information held or transmitted both in transit over external networks and at rest;
  • Secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes, except where such information is otherwise required to be retained by law or regulation;
  • Multi factor authentication;
  • Audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of normal operations.

The Chairman or an appropriate senior officer of the firm is required to certify compliance, in writing, with these rules annually.

These rules have profound implications for electronic communications. Here are just a few:

  1. Use of regular or encrypted e mail for Nonpublic Information outside the firm’s networks is non-compliant (i.e. communicating with external auditors, law firms, consultants etc.) since multi factor authentication cannot be enforced, encryption at rest is questionable, secure disposal is not enforceable and audit trails once the information has been sent are non-existent;
  2. Comprehensive monitoring of all types of electronic communications is required to ensure Nonpublic Information is not being transmitted inappropriately. This monitoring system must have a strong governance model, maintain non-tamperable audit trails, be encrypted in motion and at rest, require multi factor authentication and ensure secure disposal in accordance with policy;
  3. Electronic communications records on laptops and mobile devices are subject to these requirements as well. If a laptop goes missing with megabytes of Nonpublic Information held in old e mails and documents on the hard drive that is a major fail under these rules;
  4. Compliance archiving systems must also ensure encryption in motion and at rest, require multi factor authentication, maintain non-tamperable audit trails and ensure secure disposal in accordance with policy;
  5. While not mentioned specifically there is an implication that encryption of documents at rest must be kept up to the latest standard. A five year old document using five year old encryption is effectively not encrypted as the old standards become vulnerable.

I could go on and on, but I believe the point has been made. Current methods of electronic communications and compliance archiving simply do not satisfy these rules. Firm Chairs or Officers who certify that they do are at great risk.

Fortunately at Evizone we have been working on these issues for years. Evizone’s Secure Communications and Communications Governance products do comply with these rules in every respect. Give us a call to find out how we do it. We will be happy to show you.

Bill Wells is the Chairman of Evizone. This blog originally appeared on Bill’s LinkedIn page.