In late 2023, The New York State Department of Financial Services (NYDFS) updated its cybersecurity regulations under 23 NYCRR 500, reflecting the evolving threat landscape financial services institutions face. These changes introduced stricter controls and broader requirements, emphasizing the need for enhanced multi-factor authentication (MFA), rigorous access management, and stronger third-party oversight. While these updates are a step in the right direction for bolstering cybersecurity governance within the financial services sector, they also present significant challenges, mainly when dealing with nonstandard and disconnected applications.
The phrase “nonstandard applications” is a catch-all term for applications that don’t support identity standards like SAML, OIDC, and SCIM. Without this support, these apps are disconnected from identity providers (IdP) like Okta, Microsoft Entra ID, and Ping Identity because they don’t support SSO and centralized user provisioning and deprovisioning.
Let’s look at the sections most likely to cause heartburn for IAM and GRC teams.
Access Privileges and Management (Section 500.7)
One of the critical challenges posed by the updated regulations is the meticulous management of access privileges. This involves ensuring that privileged access is minimized and aligned with job necessities and that redundant access is swiftly terminated. This often involves maintaining detailed access logs, conducting regular audits, and manually adjusting access rights as roles and responsibilities change (good luck!). IAM and IGA platforms often provide the tools to manage these access privileges effectively for standard applications. However, nonstandard applications—those that lack API support or SCIM compatibility—pose a unique challenge. Without the ability to integrate seamlessly with IAM platforms like Okta and Entra ID (Azure AD), these applications can become blind spots, making it challenging to enforce access controls and increasing the risk of insider threats and accidental data exposure.
Given that recent research by the Ponemon Institute found that the median number of nonstandard applications in many organizations is 176, the time and expense of manually performing this work can be cost-prohibitive and often lead to noncompliance fines. Looking for cost savings in your IAM program? This might be an excellent area to find it.
Real-world example
Consider a financial services firm using a 3rd party SaaS platform that does not support SSO (very common). Manually managing access privileges for this system can be labor-intensive and prone to errors (and oftentimes is not even manageable by the firm, but rather the 3rd party). If employees leave the company, their access must be revoked to prevent unauthorized use. This process can be delayed without automation, exposing the firm to potential insider threats.
Monitoring Privileged Access Activity (Section 500.7(c))
The updated regulations require regular monitoring of privileged access activity to prevent unauthorized access. This is relatively straightforward for applications integrated with Privileged Access Management (PAM) and SIEM platforms, enabling continuous monitoring and auditing. However, nonstandard applications often fall outside the scope of these platforms due to their lack of support for standards. Companies must implement manual monitoring processes for nonstandard applications to comply with the requirement to monitor privileged access activity regularly. This could involve frequent log reviews, scripts, setting up makeshift alert systems, and dedicating significant manpower to overseeing activities constantly. Given the volume of data and the potential for human error, this manual approach can be inefficient and ineffective, potentially allowing unauthorized access to go undetected.
Real-world example: A bank might use specialized trading software that lacks integration capabilities with its PAM and SIEM platforms. Without visibility into this application's activities, the bank may miss critical signs of unauthorized access or misuse, potentially resulting in significant financial losses and regulatory penalties.
Multi-Factor Authentication (Section 500.12)
The enforcement of stringent MFA is another cornerstone of the updated NYDFS regulations–and rightly so. Way back in 2019, Microsoft found that MFA can block over 99.9 percent of account compromise attacks. While many modern applications come with built-in support for MFA, nonstandard applications often do not. For these applications, organizations must develop custom solutions or workarounds to integrate MFA, which can be costly and time-consuming. This process usually requires close coordination between IT and security teams to ensure that MFA is consistently applied, creating additional administrative burdens and potential points of failure. Without comprehensive MFA coverage, organizations risk unauthorized access, leading to possible data breaches and hefty non-compliance fines.
Asset Management and Data Retention (Section 500.13(a))
Maintaining accurate and complete asset inventories, including all SaaS subscriptions and on-prem applications, is essential for compliance. However, traditional asset management processes often overlook nonstandard applications and freemium or paid SaaS subscriptions. Discovering and cataloging these assets manually can be time-consuming and prone to errors, increasing the risk of non-compliance and potential financial and reputational damage. Companies must establish rigorous processes for asset discovery, classification, and documentation. This can involve frequent manual audits, reliance on spreadsheets or other basic tools, and constant vigilance to ensure no application or subscription is overlooked. The manual nature of this process increases the likelihood of errors, leading to incomplete inventories.
Where do we go from here?
Addressing these challenges without specialized tools is laborious and fraught with risks. While possible, manually managing access privileges, monitoring activities, implementing MFA, and maintaining accurate asset inventories is highly labor-intensive and prone to errors. This approach strains organizational resources and leaves significant room for vulnerabilities.
How Cerby can help
While complying with NYDFS regulations is challenging, particularly concerning nonstandard applications, tools like Cerby can fill the gap and provide significant cost savings. Cerby extends the capabilities of existing IAM and IGA investments, offering dynamic access control and real-time management of user privileges for applications typically unreachable by traditional identity platforms.
Cerby also enhances monitoring capabilities by providing visibility into user activities within nonstandard applications, aiding in the rapid detection and remediation of unauthorized access incidents. Perhaps most importantly, Cerby extends MFA to applications lacking native support, ensuring comprehensive security coverage.
On the detection front, Cerby’s browser plugin automatically discovers nonstandard applications and SaaS subscriptions for asset management, helping organizations maintain accurate and complete asset inventories in line with regulatory demands.
While the updated NYDFS regulations present challenges, particularly with nonstandard applications, leveraging tools like Cerby can help organizations navigate these complexities, ensure compliance, and enhance their overall cybersecurity posture.
Learn More About Cerby
Ready to include all your applications in your compliance program? Schedule your personalized demo now to discover how Cerby can streamline your compliance with NYDFS regulations.
