OPINION: Data Management Just Became a Little Harder
As financial institutions come to grip with the risk management and reporting requirements of the New York State Department of Financial Services’ new cyber-security regulation, some firms might overlook the regulation’s mandated use of encryption.
Encryption hardly is a new issue for financial institutions. Most firms use the popular Pretty Good Privacy encryption, which has been around since 1991, when transmitting sensitive data to regulators like the Bank of England and to other businesses just before their messages transverse their corporate firewalls.
However, the regulation has introduced a new wrinkle for financial institutions. According to regulation’s text, “each covered entity shall implement controls, including encryption, to protect non-public information held or transmitted by the covered entity both in transit over external networks and at rest.”
Encrypting nonpublic data while it is “at rest” will be something new for many firms.
“Endpoint encryption is a more secure solution, and we strongly believe that data should be encrypted at rest,” said Jacob Ginsberg, senior director of products at e-mail encryption vendor Echoworx. “The main challenges are that you lose insight into your email from a human and a security perspective.”
Using e-mail as an example, firms that use end-point encryption lose the ability to scan for viruses and spam while adding the requirement to maintain encryption keys for archived e-mail for potential e-discovery needs, he explained.
Which data is affected by the new regulation? The rule defines non-public information as business related information that would cause a material adverse impact on the business, operations, or security if the information is accessed, altered, or disclosed without proper authorization. For clients that are individuals, this includes social security numbers, driver’s license numbers, account numbers, credit/debit card numbers, any associated security or access codes, and biometric records as well as any information derived from healthcare providers and individuals regarding an individual’s medical history or healthcare payments.
Although this may not affect trade executions or big data analytics directly, it will affect everything from a firm’s client onboarding systems to their customer relationship management platforms in the front office. Data management has just become more difficult for everyone.
Dearth of board-level experience hampers cybersecurity planning and rollout.
One legislator wants markets better informed in case of cyberattack.
No single firm or regulator can tackle the borderless nature of cyber-crime.
New regulations with little harmonization make life difficult for firms.
Business-as-usual will not keep firms on the right side of compliance.