Compliance, Privileged Access Management

Changes in NYDFS Cybersecurity Regulations 23 NYCRR 500

The New York State Department of Financial Services (NYDFS) has just issued an updated version of its proposed Cybersecurity Requirements For Financial Services Companies, known as 23 NYCRR 500. Though these rules may yet still be modified before they become official at the end of January, the consensus is that this most recent draft is essentially final.

Despite containing numerous changes, the basic thrust of the rules remains the same. NYCRR 500 covers creating a cybersecurity program for financial firms and establishing cybersecurity policy. As Maria T. Vullo, Superintendent of NYDFS commented, “New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information.”

In changing the proposed rules, NYDFS has evidently incorporated many ideas they received during a 45-day comment period. For reference, Attorneys Thomas M. Dawson and Yuliya Feldman published a thorough analysis of the changes in The National Law Review. In this article, we highlight the changes relevant to Privileged Access Management (PAM).

Privileged Access Management and NYCRR 500

PAM consists of the discipline, processes and solutions that control administrative access to critical systems. A privileged user can modify the administrative backend of a system, e.g. setting up, modifying or deleting user accounts. He or she may be able to reconfigure systems, erase logs or override security features. The serious implications of privileged access place it at the center of many security policies. PAM is meant to ask and answer one of the most basic questions that arises in security: “Who is allowed to do what?” Then, PAM documents who did what, when and where…

NYCRR 500 updated rules affecting PAM include:

The risk assessment mandated for covered entities has been changed from “annual” to “periodic.” In addition, this periodic risk assessment has evolved from being a basic requirement under NYCRR 500 to become what is effectively the foundation for planning operations and related security policies. This sweeping change affects audit trails, third party service provider security policies and multi-factor authentication. Each of these areas of security policy touch on PAM, either directly or indirectly. For example, privileged access requires a rigorous audit trail and PAM provides an unimpeachable audit trail for privileged users– which virtually no other solution can provide.
The “Third Party Service Provider Security Policy” aspects of the regulations have been revised. There is now flexibility in the way security policies are defined and implemented for third party service providers, based on the risk assessment. The policies are now to be implemented “to the extent possible” versus the “minimum required” language in the earlier draft. Security policies should encompass any privileged access rights assigned to third parties. Privileged access for third parties is quite common with IT outsourcing. Employees of IT support firms may routinely need remote, privileged access to critical systems. It is also a potentially serious security issue. Covered Entities may have little knowledge of or control over employees of third parties, so PAM is essential to safeguard these systems administered by third parties.
There is now more flexibility for Covered Entities to use the cybersecurity resources of other firms. While this may be a sensible way to avoid overburdening smaller firms with excessive regulatory compliance, this does present a risk. If the third-party firm being relied upon for cybersecurity resources has deficient PAM controls, the Covered Entity will be exposed to the risks of data breaches and insider threats via that third party. So, any entity responsible for handling confidential financial data needs to take a very methodical approach to PAM and adhere to NYCRR 500 and similar frameworks.
New effective dates and transitional periods. There is now more time to implement these controls. While this gradual phasing of requirements may be a sensible way to spare firms a rush to implement, in our view, it may not be sound security policy. Under this proposed schedule, third party privileged users could operate without adequate controls for two years before the Covered Entity would have policies governing their actions, including privileged access. That’s a lot of time for things to go wrong that could have been fixed with an adequate PAM solution in place (For instance, the WALLIX Bastion, while easier to deploy than most PAM solution, can be deployed in less than a month for most customers).
The basic Risk Assessment and CISO’s first report to the board of directors is set for 1 year after release.
The Policies, Procedures and Controls for Monitoring Activity of Authorized Users have been pushed out to 18 months after the release of the rules.
Third party service provider security policy is now set for two years after release.

How PAM Solutions Work

PAM solutions centrally and quickly manage access over a disparate set of heterogeneous systems. Most include the following components:

Access Manager – Governs access to privileged accounts as a single point of policy definition and enforcement.
Password Vault – Prevents privileged users from knowing the actual passwords to critical systems. This prevents a manual override on a physical device, for example.
Session Manager – Tracks and records actions taken during a privileged account session.

WALLIX for Financial Sector Privileged Access Management

WALLIX establishes the kind of pervasive, sustainable PAM called for in the updated 23 NYCRR 500 rules. The WALLIX Bastion makes it possible for Covered Entities to get their PAM-related controls and security policies in order quickly. In addition to making systems more secure, sooner, putting PAM into place early with WALLIX will also reduce the need to rework security policies affecting privileged access after the initial rollout of 23 NYCRR compliance.

WALLIX Bastion accomplishes these objectives through a single gateway with single sign-on for access by system admins. Through this capability, the financial firm’s IT department can define and enforce access policies for admins as well as for the employees who need system access. This bastion type solution is able to span cloud and on-premises system deployments.

The Bastion’s agent-less architecture is well-suited to the highly varied infrastructure scenarios found in the financial industry. Other PAM solutions require a software agent installed on each target system. This is effectively a non-starter when systems are spread out across multiple platforms in cloud and on-premises combinations. When agents are required, PAM will likely be abandoned or neglected to the point where it won’t perform its basic functions. WALLIX Bastion helps ensure that you won’t fall into this trap.

For more information about the WALLIX Bastion, or for a proof of concept or free demo, give us a shout.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Changes in NYDFS Cybersecurity Regulations 23 NYCRR 500

Privileged Access Management and NYCRR 500

NYCRR 500 updated rules affecting PAM include:

How PAM Solutions Work

WALLIX for Financial Sector Privileged Access Management

Cloud Bastion: WALLIX now on AWS and Azure

PAM and Third Party App Maintenance

Related Blogs

Related Resources

Products

Solutions

Resources

About