Changes in NYDFS Cybersecurity Regulations 23 NYCRR 500
The New York State Department of Financial Services (NYDFS) has just issued an updated version of its proposed Cybersecurity Requirements For Financial Services Companies, known as 23 NYCRR 500. Though these rules may yet still be modified before they become official at the end of January, the consensus is that this most recent draft is essentially final.
Despite containing numerous changes, the basic thrust of the rules remains the same. NYCRR 500 covers creating a cybersecurity program for financial firms and establishing cybersecurity policy. As Maria T. Vullo, Superintendent of NYDFS commented, “New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information.”
In changing the proposed rules, NYDFS has evidently incorporated many ideas they received during a 45-day comment period. For reference, Attorneys Thomas M. Dawson and Yuliya Feldman published a thorough analysis of the changes in The National Law Review. In this article, we highlight the changes relevant to Privileged Access Management (PAM).
Privileged Access Management and NYCRR 500
PAM consists of the discipline, processes and solutions that control administrative access to critical systems. A privileged user can modify the administrative backend of a system, e.g. setting up, modifying or deleting user accounts. He or she may be able to reconfigure systems, erase logs or override security features. The serious implications of privileged access place it at the center of many security policies. PAM is meant to ask and answer one of the most basic questions that arises in security: “Who is allowed to do what?” Then, PAM documents who did what, when and where…
NYCRR 500 updated rules affecting PAM include:
- The risk assessment mandated for covered entities has been changed from “annual” to “periodic.” In addition, this periodic risk assessment has evolved from being a basic requirement under NYCRR 500 to become what is effectively the foundation for planning operations and related security policies. This sweeping change affects audit trails, third party service provider security policies and multi-factor authentication. Each of these areas of security policy touch on PAM, either directly or indirectly. For example, privileged access requires a rigorous audit trail and PAM provides an unimpeachable audit trail for privileged users– which virtually no other solution can provide.
- The “Third Party Service Provider Security Policy” aspects of the regulations have been revised. There is now flexibility in the way security policies are defined and implemented for third party service providers, based on the risk assessment. The policies are now to be implemented “to the extent possible” versus the “minimum required” language in the earlier draft. Security policies should encompass any privileged access rights assigned to third parties. Privileged access for third parties is quite common with IT outsourcing. Employees of IT support firms may routinely need remote, privileged access to critical systems. It is also a potentially serious security issue. Covered Entities may have little knowledge of or control over employees of third parties, so PAM is essential to safeguard these systems administered by third parties.
- There is now more flexibility for Covered Entities to use the cybersecurity resources of other firms. While this may be a sensible way to avoid overburdening smaller firms with excessive regulatory compliance, this does present a risk. If the third-party firm being relied upon for cybersecurity resources has deficient PAM controls, the Covered Entity will be exposed to the risks of data breaches and insider threats via that third party. So, any entity responsible for handling confidential financial data needs to take a very methodical approach to PAM and adhere to NYCRR 500 and similar frameworks.
- New effective dates and transitional periods. There is now more time to implement these controls. While this gradual phasing of requirements may be a sensible way to spare firms a rush to implement, in our view, it may not be sound security policy. Under this proposed schedule, third party privileged users could operate without adequate controls for two years before the Covered Entity would have policies governing their actions, including privileged access. That’s a lot of time for things to go wrong that could have been fixed with an adequate PAM solution in place (For instance, the WALLIX Bastion, while easier to deploy than most PAM solution, can be deployed in less than a month for most customers).
- The basic Risk Assessment and CISO’s first report to the board of directors is set for 1 year after release.
- The Policies, Procedures and Controls for Monitoring Activity of Authorized Users have been pushed out to 18 months after the release of the rules.
- Third party service provider security policy is now set for two years after release.
How PAM Solutions Work
PAM solutions centrally and quickly manage access over a disparate set of heterogeneous systems. Most include the following components:
- Access Manager – Governs access to privileged accounts as a single point of policy definition and enforcement.
- Password Vault – Prevents privileged users from knowing the actual passwords to critical systems. This prevents a manual override on a physical device, for example.
- Session Manager – Tracks and records actions taken during a privileged account session.
WALLIX for Financial Sector Privileged Access Management
WALLIX establishes the kind of pervasive, sustainable PAM called for in the updated 23 NYCRR 500 rules. The WALLIX Bastion makes it possible for Covered Entities to get their PAM-related controls and security policies in order quickly. In addition to making systems more secure, sooner, putting PAM into place early with WALLIX will also reduce the need to rework security policies affecting privileged access after the initial rollout of 23 NYCRR compliance.
WALLIX Bastion accomplishes these objectives through a single gateway with single sign-on for access by system admins. Through this capability, the financial firm’s IT department can define and enforce access policies for admins as well as for the employees who need system access. This bastion type solution is able to span cloud and on-premises system deployments.
The Bastion’s agent-less architecture is well-suited to the highly varied infrastructure scenarios found in the financial industry. Other PAM solutions require a software agent installed on each target system. This is effectively a non-starter when systems are spread out across multiple platforms in cloud and on-premises combinations. When agents are required, PAM will likely be abandoned or neglected to the point where it won’t perform its basic functions. WALLIX Bastion helps ensure that you won’t fall into this trap.
For more information about the WALLIX Bastion, or for a proof of concept or free demo, give us a shout.