Data governance for Regulatory Compliance: Lessons Learned from NYDFS
This week marks six months since the last of three compliance deadlines for the New York State Department of Financial Services (NYDFS) Cybersecurity Regulations. As of March 1, 2019, many financial services firms operating in New York state are now required to abide by a new set of cybersecurity standards that dictate how they manage, share, and control access to data.
What is revolutionary about NYDFS is that many of these provisions are not technical in nature, but structural - outlining a holistic approach to data security that includes the appointment of a CISO, routine risk assessments, audit trails, and other established best practices.
The broad scope of NYDFS provides a good framework for how financial services firms and other companies that handle sensitive data should align their thinking around data security. NYDFS doesn’t simply mandate a set of technical requirements that must be implemented, but forces firms to build in processes, people, and procedures that improve data governance and encourage smarter management of the data environment. By looking beyond network security and endpoint protection, NYDFS validates that in today’s regulatory landscape, there is no compliance without data governance.
Let’s unpack a few components of NYDFS that highlight the interplay of governance and compliance:
Access Control (500.07)
NYDFS requires that companies take steps to “limit user access privileges to Information Systems that provide access to Nonpublic Information,” and requires “periodic review” of these access privileges. Under the law, “Nonpublic information” includes a wide range of Personally Identifiable Information (PII) from usernames and passwords to social security numbers, banking and healthcare information commonly stored in enterprise file systems.
Risk Assessments (500.09)
Risk assessments mandated under NYDFS are intended to inform the overall design of the firm’s cybersecurity program. In part, firms must consider risks associated with how “Nonpublic Information collected or stored” and “the availability and effectiveness of controls to protect Nonpublic Information.”
Limitations on Data Retention (500.13)
This section states that companies must develop policies and procedures for the “secure disposal” of Nonpublic Information that is “no longer necessary for business operations or for other legitimate business purposes.” In other words, companies must retire data that is not required to be retained under other regulations like SOX, SEC, and GLBA.
For many firms, the open-ended nature of NYDFS has made it challenging to navigate, creating questions around how best to implement it, and giving rise to a cottage industry of compliance consultants. Unstructured data, in particular, has been a problem area for many. When it comes to the documents, spreadsheets, images, and PDFs that comprise most enterprise data, it turns out that most “Nonpublic Information” is often buried deep inside.
To work toward compliance, companies must be able to identify, locate, and control access to any file that contains sensitive data as defined under the law. From there, they must periodically assess who has access to which files and effectively delete sensitive data that is not otherwise required to be held. For companies of a certain size (meaning most companies impacted by NYDFS), this is impossible to do at scale without a tool that provides automated classification and permissions auditing, access control, and data lifecycle management. As more states pass similar laws, the reach of NYDFS-style legislation is growing. Schedule a Demo with an Egnyte Product specialist to learn how strong data governance and lifecycle management can get you on the path to compliance.