Enforcing 23 NYCRR 500: The Buck Stops with the CISO

In 2017, the New York Department of Financial Services (NYDFS) passed regulation 23 NYCRR 500, designed to promote the protection of customer information as well as regulated entities’ information technology systems. But it wasn’t until March 2019 that New York-based financial service and insurance (FSI) firms had to comply with the legislation. Ever since, the industry has been waiting to see how it would be enforced. In July 2020, we got the answer when NYDFS published its first enforcement action against First American Title Insurance under the new legislation — and it set a sobering precedent for CISOs and their data engineers and architects when it comes to data access control and compliance.

Haven’t we been here before? In recent years there has been a raft of legislation aimed at protecting consumers’ digital rights; GDPR in Europe, and CCPA, which augments the existing federal protections consumers enjoy in California. But what makes 23 NYCRR 500 different — and highly significant — isn’t the what, but the who.  

While existing state and federal privacy legislation in the US provide for individual officers to be held accountable for data breaches and misuse of consumer data, they do not stipulate who is responsible for implementing an effective control environment.

In Europe, GDPR states that many entities must appoint a Data Protection Officer (DPO), and provides guidance that DPOs are responsible for “monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits” but stops short of making them responsible for implementation.

On both sides of the Atlantic, responsibility for designing and implementing controls to ensure compliance with respective legislation falls implicitly on management teams — the same teams that have a myriad of other urgent and important priorities. And in the competition between production and protection, production often wins out.

A tried and true way to ensure initiatives receive sufficient attention is to make them explicitly someone’s problem; that is exactly what the NYDFS has done:

Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”).

The main aim of 23 NYCRR 500 is to mandate that FSI firms (covered entities) design and implement a robust and comprehensive cybersecurity program, and monitor its effectiveness. But the legislation goes further in requiring FSI firms to: 

  1. Classify data in terms of its sensitivity,
  2. Implement a data access control program, and 
  3. Monitor both authorized and unauthorized access to sensitive data. 

These are areas which a CISO may dismiss as outside their mandate. In its statement of charges (see paragraph 31), this was exactly the position First American Title’s CISO took when interviewed by the NYDFS.

Compounding this challenge is the growing commercial imperative for FSI firms to leverage data via self service access and other data analytic initiatives. CISOs find themselves between a rock and a hard place, but there are some tools that can help.

As noted above, 23 NYCRR 500 is broad in scope and requires a three-pronged people-process-systems approach to ensure compliance. Immuta’s suite of data access control and monitoring tools, combined with the technical expertise of empowered data engineering teams, can help achieve a systematic, comprehensive solution to data privacy.

Classifying Sensitive Data

23 NYCRR 500 stipulates that firms must implement a process to classify data, and lists attributes that determine the level of sensitivity. To comply with the legislation, CISOs need data engineers to have a scalable method of sensitive data discovery and classification. Immuta’s sensitive data discovery and intuitive, no-code data policy authoring accelerate the otherwise labor-intensive process, allowing for faster, more unified data classification that helps ensure no sensitive data slips through the cracks. This gives data engineers more bandwidth and CISOs more oversight on the data control environment.

Implementing Data Access Controls

Striking the right balance between security and utility is a delicate task, particularly at scale. However, while accountability rests with the CISO, it is the data engineers’ and architects’ jobs to implement technology which can enforce the appropriate controls.

Immuta’s fine-grained access control system provides self-service access to data with always-on security. In addition to role-based access control and attribute-based access control, which can leverage data discovery tags, data engineers and architects can set purpose-based access controls to ensure data is being accessed for the right reasons — a critical control measure for CISOs who need to be able to verify that data is being used on an as-needed basis. These dynamic controls can be monitored and periodically reviewed, in accordance with 23 NYCRR 500, with Immuta. 

Start a Trial

Monitoring Usage of Sensitive Data

The new legislation requires implementation of intrusion detection programs, but goes further by demanding that firms also administer controls to monitor data access and use by authorized users. Therefore, empowering data engineers and architects with tools to monitor all data usage in real time and log access requests and permissions is critical.

Immuta’s data monitoring and detection compile all data access requests, permissions granted, changes to policies, data uses, user-generated queries and more. This information can be funneled into an automated report that delivers a detailed level of transparency into who is using data, how and for what purpose, allowing teams to proactively map approved access controls to permissions granted and pinpoint any discrepancies. Having these thorough reports helps data engineers and CISOs flag unintended data usage and take measures to halt it immediately.

While 23 NYCRR 500 put added responsibility on CISOs, and in turn data engineers and architects, to implement data protection measures in a highly accountable manner, the legislation doesn’t mean that teams need to be burdened with additional labor-intensive measures to ensure their data is secure and auditable. Working together with the right tools makes the process not just safe, but potentially faster than ever, so CISOs and data teams alike can rest assured knowing their information is protected and compliant.  

Take the next steps to protect your data and ensure compliance. We’ve created a playbook on How to Design and Implement a Governance, Risk and Compliance Framework for Enterprise Data Analytics. Access part one of our webinar on building a GRC framework and then check out part two here.


Related stories