Blog
Nabeel Nizar | July 25, 2024 I 5 min read
What Financial Organizations Need to Know About the New NYDFS User Access Review Requirements
Navigating the regulatory landscape of the financial sector has always been challenging, and the evolving standards of the New York Department of Financial Services (NYDFS) are no exception. In this blog post, you’ll learn about NYDFS, the 23 NYCRR Part 500 cybersecurity regulations, and how it now calls for annual User Access Reviews (UARs) for financial institutions.
What is the New York Department of Financial Services?
The New York Department of Financial Services (NYDFS) is a regulatory agency responsible for supervising and regulating financial services and products in the state of New York. It was created in 2017, the NYDFS oversees a wide range of financial entities, including:
- Banks: Both state-chartered and foreign banks operating in New York.
- Insurance Companies: Including life, health, and property/casualty insurers.
- Mortgage Brokers and Lenders: Entities involved in mortgage origination and servicing.
- Financial Services Firms: Companies providing various financial services, such as money transmitters and payday lenders.
- Virtual Currency Businesses: Companies dealing with cryptocurrencies and other virtual currencies.
The NYDFS aims to ensure the security of the financial system, protect consumers from financial fraud, and promote economic growth through regulation, enforcement, and policy development.
What is Cybersecurity Regulation, 23 NYCRR Part 500?
The Cybersecurity Regulation, 23 NYCRR Part 500, is a set of regulations established by the New York Department of Financial Services (NYDFS) to enhance the cybersecurity practices of financial institutions under its jurisdiction. It became effective on March 1, 2017 and has since been amended multiple times (more on that later).
Important Elements of the NYDFS Regulation
The regulation aims to strengthen the cybersecurity posture of financial institutions and protect sensitive consumer data by creating requirements around the following areas:
- The implementation and maintenance of a cybersecurity program with functions and policies determined by each entity’s risk assessment
- The designation of a Chief Information Security Officer (CISO) to retain responsibility for compliance with the regulatory requirements
- The ongoing performance of vulnerability management, including penetration testing and automated monitoring
- Governing user access to privileged systems, including conducting yearly (at minimum) User Access Reviews and implementing a Privilege Access Management (PAM)
- The implementation of Multi-factor Authentication for Privileged accounts and any application with non-public information
- The implementation of risk-based policies and controls and yearly (at minimum) cybersecurity awareness training
- The implementation of an EDR solution and a solution for centralized logging and security event alerting.
The New NYDFS Regulation Around User Access Reviews
Part of the recent amendment to the regulation is a requirement around user access reviews (UARs). Historically, the only regulatory requirement for the ongoing performance of UARs has come from the Sarbenes-Oxley Act, which required quarterly UARs and only applies to publicly traded companies
Under the new amendment, all financial organizations under the purview of the NYDFS must now conduct annual user access reviews.
Here’s the full regulation around UARs, which comes from section 500.7 (Access privileges and management):
- As part of its cybersecurity program, based on the covered entity’s risk assessment each covered entity shall:
- limit user access privileges to information systems that provide access to nonpublic information to only those necessary to perform the user’s job;
- limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user’s job;
- limit the use of privileged accounts to only when performing functions requiring the use of such access;
- periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary;
- disable or securely configure all protocols that permit remote control of devices; and
- promptly terminate access following departures.
The Challenge of UARs for Financial Institutions
One of the biggest challenges we’re seeing around this new requirement is that many financial applications are either self-hosted or don’t have APIs that can readily extract user and account permissions. This could introduce a host of problems when it comes time for an annual UAR.
First and foremost, this situation results in having to conduct the UARs manually, which is both time-consuming and error prone. With it being manual, as the number of applications grow, the scale of the UARs can become problematic. Manual reviews may also delay the detection of unauthorized access or anomalies, leading to reactive rather than proactive incident responses.
We recommend utilizing a dedicated Identity Governance and Administration (IGA) tool such as SailPoint or Saviynt to help streamline and automate the UAR process. IGA tools are purpose-built for this type of governance but can still be challenging to set up and integrate into an environment.
If you already have an Identity Security solution that addresses the need for Lifecycle Management, either through Okta or Microsoft’s EntraID, then you can also look at best-of-breed UAR solutions from vendors like Zilla, Lumos, and others.
Keep in mind, the bulk of financial applications are “disconnected”, residing in hosted cloud environments with no APIs available for integration, with data accuracy and validation of the utmost concern, you might also want to consider a File Operations tool, like Aquera, to handle the Extraction, Transformation and Load into your UAR/IGA solution.
Complimentary Workshop
If you would like to discuss best practices for beginning your UAR process or other NYDFS regulatory requirements, our advisory team is offering a complimentary half-day workshop. We are happy to sit down and offer our experience without any commitment on your end. Just contact us here to request your complimentary workshop.
In Conclusion
The amended regulations set forth by the NYDSF introduce an additional layer of requirements for financial organizations doing business in New York. While well-intentioned, the steps to compliance represent quite a large shift when compared to the standards that organizations were previously facing.
Our team of identity consultants has deep experience helping companies of all sizes and industries implement solutions to meet compliance requirements while creating business value through strong identity security programs.
If you’re interested in learning more, feel free to reach out.
Get in touch
Think we could help your business deliver on technology’s promise? We think so too. Drop us a Line, and we’ll get back to you in a heartbeat.