Compliance

Compliant to the highest standards, trust CYPFER’s reputable expert team to handle your cyber incident response matter with the utmost care, confidentiality and professionalism.  

CYPFER is a registered Money Services Business (MSB) with FINTRAC, and is required to follow a certain standard of Anti-Money Laundering (AML) and Know Your Client (KYC) compliance.  Click for more information

In certain cases the following rules, regulations, and frameworks may apply to CYPFER, its clients and its business:

  • Office of Foreign Assets Control – OFAC Sanctions List
  • Financial Modernization Act / Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • NIST Cybersecurity Framework 
  • NYDFS Cybersecurity Regulation
  • Payment Card Industry Data Security Standard (PCI DSS)
  • The Federal Information Security Management Act (FISMA)

See below for more detailed descriptions

 

OFFICE OF FOREIGN ASSETS CONTROL – OFAC SANCTIONS LIST

The United States Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States.

OFAC publishes lists of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific.

CYPFER Duly checks the OFAC Sanctions Lists against the Threat Actor’s wallet information, prior to making any ransom payment. Accordingly, we will not proceed with settlement if the Threat Actor is known to be on the OFAC sanctions list.

 

FINANCIAL MODERNIZATION ACT / GRAMM-LEACH-BLILEY ACT (GLBA)

Cybersecurity is an ever-evolving discipline. Attacks change, technologies come and go, processes adjust, new compliance mandates are regulated, and people are there to hold it all together. But none of this is new, and not likely to change much. It’s the way of life for today’s security organizations.

React to security incidents and breaches with the help of our GLBA compliant CYPFER team.

What is the Financial Modernization Act / Gramm-Leach-Bliley Act (GLBA)?

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, is a US Federal regulation that includes provisions to protect consumers’ personal financial information held by financial institutions. The policy contains rules to detect accounts, credit cards, and social security numbers. The policy comprises rules for the detection of personal financial information and other personal information.

The rules for this policy include:

  • GLBA: CCN (Default)
  • GLBA: CCN (Narrow)
  • GLBA: Name and SSN
  • GLBA: SSN and Personal Finance Terms
  • GLBA: SSN and Account
  • GLBA: RTN/ABA (wide)
  • GLBA: RTN/ABA (narrow)
  • GLBA: RTN/ABA (default)
  • GLBA: Name and 10 digit account numbers
  • GLBA: Name and 9 digit account numbers
  • GLBA: Name and 5-8 digit account numbers
  • GLBA: Name and Personal Finance Terms
  • GLBA: Name and Sensitive Disease or drug
  • GLBA: Names (Narrow) and Sensitive Disease or drug
  • GLBA: Name and Contact Info

Benefit of GLBA

GLBA applies to all businesses, regardless of size, that is “significantly engaged” in providing financial products or services to consumers. Financial institutions (banks, securities firms, insurance companies), as well as companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counselling; providing residential real estate settlement services; collecting consumer debts) are all required to comply.

CYPFER helps to ease the pain of paying ransom from data breaches and data leaks. We protect your customer’s trust through our GLBA compliant services.

 

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

An innumerable amount of personal information is shared every day and all the cybercriminals want access to it. Unfortunately, they’re succeeding because many organizations, big and small, have fallen victim to data breaches and allowed personal information to be exposed.

If you’re a professional working in the healthcare, accounting, legal, or insurance industries, you’re likely very aware of the importance of HIPAA compliance. CYPFER works to ensure your data is protected and returned to you while being compliant to HIPAA and PIPEDA regulations.

What is the Health Insurance Portability and Accountability Act (HIPAA)?

Enacted in 1996, HIPAA is intended to improve the efficiency and effectiveness of the health care system. As such, it requires the adoption of national standards for electronic health care transactions and code sets, as well as unique health identifiers for providers, health insurance plans and employers.

The rules for this policy include:

  • HIPAA: Credit cards and Common Diseases
  • HIPAA: Credit cards and Sensitive Disease or drug
  • HIPAA: DNA profile (default)
  • HIPAA: DNA profile (narrow)
  • HIPAA: DOB and Name (default)
  • HIPAA: DOB and Name (wide)
  • HIPAA: ICD10 Code and Description
  • HIPAA: ICD10 Codes and US full names
  • HIPAA: ICD10 Descriptions and US full names
  • HIPAA: ICD9 Code and Description
  • HIPAA: ICD9 Codes and US full names
  • HIPAA: ICD9 Descriptions and US full names
  • HIPAA: Medical Form (Default)
  • HIPAA: Medical Form (Narrow)
  • HIPAA: Medical Form (Wide)
  • HIPAA: Name and Common Diseases
  • HIPAA: Name and Contact Info
  • HIPAA: Name and HICN
  • HIPAA: Name and Sensitive Disease or drug
  • HIPAA: Names (Narrow) and Common Diseases
  • HIPAA: Names (Narrow) and Sensitive Disease or drug
  • HIPAA: NDC number (default)
  • HIPAA: NDC number (narrow)
  • HIPAA: NDC number (wide)
  • HIPAA: SSN and Common Diseases
  • HIPAA: SSN and Sensitive Disease or drug

To read the full law, please visit: https://www.hhs.gov/hipaa/

Benefits of HIPAA

HIPAA is a US federal law that governs the privacy and security of personal health information (PHI) for only certain entities in the health industry – mainly healthcare providers, health insurers, and health exchange organizations. On top of that, health information is also governed by any additional state laws.

CYPFER understands these regulations and is 100% HIPAA compliant.

 

NIST CYBERSECURITY FRAMEWORK

Cybersecurity starts from understanding the organization, its mission, its risk tolerance. Part of this is understanding the organization’s role in critical infrastructure. These are used to define roles, responsibilities, policies, and processes.

CYPFER has adopted this cybersecurity framework to scale and formalize security operations. Trust CYPFER for all your ransomware settlements and data recovery needs.

What is NIST Cybersecurity Framework?

Set forth by the National Institute of Standards and Technology under the United States Commerce Department, the Cybersecurity Framework is a set of guidelines for private sector companies to follow to be better prepared in identifying, detecting, and responding to cyber-attacks. It also includes guidelines on how to prevent and recover from an attack.

The NIST Cybersecurity Framework is a comprehensive model, detailed out in five essential functions to safeguard IT environments. Organizations utilize the Core Functions to evaluate the cybersecurity program from top to bottom, guiding them from identification through recovery.

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

To read the NIST framework, please visit: https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/nist-framework

Benefits of the NIST Cybersecurity Framework

The NIST Cybersecurity Framework seeks to address the lack of standards when it comes to security. There are currently major differences in the way companies are using technologies, languages, and rules to fight hackers, data pirates, and ransomware.

At CYPFER, we base all our solutions to the NIST framework. We take a defense-in-depth approach to security by using multiple layers of security controls. Combining people, processes and technology ensure that your data is cared for and attacks are mitigated as efficiently as possible.

 

NYDFS CYBERSECURITY REGULATION

Financial institutions are a target-rich environment for cybercriminals, as they offer multiple avenues for profit such as extortion, theft, and fraud. Beyond the obvious motivation of financial gain, nation-states and hacktivists also target the financial sector for political and ideological reasons.

With New York known as the “financial capital of the world,” most U.S financial institutions fall under NYDFS regulation. In addition, many international organizations have operations in New York. All of these banks and financial services companies must secure their assets and customer accounts against cyberattacks in compliance with the NYDFS.

Whether you’re a bank, an insurance company, or a financial services institution, rest assured CYPFER services are compliant with NYDFS.

What is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 and include 23 sections outlining the requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address those risks.

The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.

The rules for this policy include:

  • Cybersecurity Policy Design
  • Reporting Procedures
  • Program Development
  • Third-Party Security
  • Access Privileges

To read the full law, please visit: https://www.dfs.ny.gov/industry_guidance/regulations

Benefits of NYDFS Cybersecurity Regulation

The requirement aims to protect NYDFS regulated entities as well as New York consumers whose private information may be revealed and/or stolen in cybersecurity events.  The rules for this policy affect:

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in New York
  • Mortgage companies
  • Insurance companies
  • Service providers

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Any organization that accepts credit or debit cards as a form or payment must comply with the standards set by the Payment Card Industry (PCI) Standards Security Council. Not being compliant with these standards carries damaging effects, including fines, higher transaction fees, reputational harm and a loss of banking relationships. CYPFER’s PCI services help businesses comply with PCI regulations.

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The PCI DSS is a set of requirements for enhancing security of payment customer account data. It was developed by the founders of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa to help facilitate global adoption of consistent data security measures. PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

The Council has also issued requirements called the Payment Application Data Security Standard (PA DSS) and PCI Pin Transaction Security (PCI PTS).

The rules for this policy include:

  • Build and Maintain a Secure Retail Point of Sale System
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy
  • Maintain a policy that addresses information security

To read the full law, please visit: https://www.pcisecuritystandards.org/security_standards/documents.php

Benefits of PCI DSS Compliance 

PCI DSS standards apply to all types of companies that ask for credit card information. The main goal of the compliance is to protect the privacy and security of sensitive card data by delivering recommendations on how to secure online business.

At CYPFER, we protect your sensitive data like our own. Rest assured with our PCI DSS services, your data is compliant.

 

THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

CYPFER is committed to the highest level of security and is continuing efforts to apply and maintain security standards in every aspect of its business.

What is the Federal Information Security Management Act of 2002 (“FISMA”)?

The Federal Information Security Management Act of 2002 (“FISMA”) imposes a mandatory set of processes that must be followed for all information systems used or operated by a US federal agency or by a contractor or other organization on behalf of a US Government agency. The policy detects combinations of Personally Identifiable Information (PII) like social security number or credit card number, with sensitive private information, such as health conditions, names of crimes, and ethnicities. Additional rules detect confidential information about the corporate network, and confidential documents.

The rules for this policy include:

  • FISMA: CCN and Crimes
  • FISMA: CCN and Ethnicities
  • FISMA: CCN and Sensitive Disease or drug
  • FISMA: Confidential in Document
  • FISMA: Network Information and Security (patterns and IP)
  • FISMA: Network Information and Security (textual patterns)
  • FISMA: Password dissemination for Web traffic
  • FISMA: Proprietary in Document
  • FISMA: SSN and Crimes
  • FISMA: SSN and Ethnicities
  • FISMA: SSN and Sensitive Disease or drug
  • FISMA: Suspected Passwords

To read the full law, please visit: http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

Benefits of FISMA Compliance

All CYPFER reports demonstrate CYPFER’s compliance with NIST 800-53. As a comprehensive information security standard, the results of this report also demonstrates to our non-federal customers and prospects the strong system of internal controls in place at our firm.