Does your company meet the NY DFS Data Encryption at Rest Requirement?
It is important to know what peer companies are doing to comply with to NY DFS. Each year, auditors will evaluate how companies are meeting the regulatory requirements, this will culminate in an ‘industry standard’ to meet the spirit of the regulation. This standard will be used to assess how your encryption compares to your peers.
The NY DFS sensitive data at rest encryption requirements have been in effect since 2018. Dark Reading called the Cybersecurity Requirements for Financial Services Companies “one of the harshest cybersecurity regulations to hit companies in the US”. In short, covered entities “will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations.” NY-DFS includes a mandate to encrypt data both at rest and in transit regardless of whether this data is in a public or private cloud, or on a device.”
00.15 Encryption of Nonpublic Information: As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
Hybrid Pathways 2019 Peer Knowledge Sharing Survey respondents are using a combination of encryption formats to meet the NY DFS requirements. Forty four percent (44%) of respondents are using whole-disk encryption with twenty six percent (26%) using transparent database encryption. Thirty percent (30%) are using application level encryption.
Hybrid Pathways Insight: Whole-disk encryption is the easiest to implement because it is transparent to applications (no application changes are required). This type of encryption is also the least secure for “sedentary” systems where this type of defense protects against physical theft of the data. Transparent database encryption also does not typically require application changes and is a better protection level than whole disk encryption because this solution can protect against electronic theft of the data. Application level encryption is the most secure and defends against electronic theft better than transparent database encryption because the data is encrypted in the application prior to being written to the database (data at rest). Application level encryption typically requires application code changes and new technology solutions for enterprises and therefore is the hardest to implement.
Based on timing and in order to meet the annual regulatory requirements, companies should:
> Employ application level encryption for new applications > Move to transparent database encryption where possible for existing application > Where there is no other coverage in place, implement whole disk encryption
The bar for encryption will continue to rise. Companies should not expect that whole disk encryption will meet regulations going forward. As your peers move to more secure options, you will be required to improve encryption as well.
Hybrid Pathways surveys IT/security leaders and chief architects at enterprise companies across industries in New England. The goal is to provide peer experience and feedback that could help with decision making and planning.
The survey questions are initiated by enterprise IT/security leaders. The 2019 survey focused on the areas of cloud orchestration, packet capture across cloud deployments, key management services, encryption to meet New York Department of Financial Services (NY DFS) cybersecurity regulations, data loss prevention (DLP), and cloud access security broker (CASB).
The survey was conducted in November 2019 and this report provides valuable feedback from 22 senior IT/security leaders and chief architects from large enterprise companies.