Editor's note: This blog has been updated to reflect the finalized amendments to the NYDFS Cybersecurity Regulation.
Andrea Acciarri (US), PwC Partner, Cyber, Risk & Regulatory
Bob Clark, PwC Partner, Cyber, Risk & Regulatory
Brandon Talisesky, PwC Director, Cyber, Risk & Regulatory
Ed Ponte, Own, Secure for Salesforce Product Manager
Eoghan Casey, Own VP, Cybersecurity & Product Development
John Henry Archer, Own Sr. Director, Partner Channels
To keep pace with the growing problem of data breaches and data loss impacting financial services companies in recent years, the New York State Department of Financial Services (NYDFS) has updated the 23 NYCRR 500 regulation titled “Cybersecurity Requirements for Financial Services Companies.” The updates are substantial, encompassing asset inventory, risk assessment, multi-factor authentication (MFA) implementation, business continuity and disaster recovery (BCDR), governance, and CEO/CISO certification. Companies have one year to comply with the majority of updated requirements of the regulation.
Larger companies (“Class A” companies), with aggregate revenue from New York operations over $20 million, over $1 billion globally, or 2,000 employees globally, must:
- Complete an annual independent audit of the cybersecurity program.
- Implement a privileged access management solution and an access management password solution and controls to prevent the usage of common passwords for privileged accounts.
- Implement an end-point detection and response system to monitor for anomalous activity and generate alerts.
- Enhance business continuity and disaster recovery protocols, including the identification of critical data, the storage of backups isolated from client network connections, and annual testing
- Require users to authenticate via Multi-Factor Authentication (MFA)
The regulation also requires a compliance filing, which raises the risk of firms falling short and incurring millions in fines. In addition, when amendments take effect, companies must implement new controls, increase the frequency of existing cyber controls, and ensure that they document compliance with the regulation.
While this regulation applies to financial services and insurance companies operating in New York, it will have an impact beyond New York borders. PwC and Own have entered into a Collaboration Agreement to help companies with their data protection and security journeys. If you are using Salesforce to manage your customers’ data, PwC and Own can help you accelerate compliance with this revised NYDFS regulation.
PwC has deep professional experience in NYSDFS compliance. PwC can help:
- Assess your cybersecurity programs to determine compliance gaps and provide remediation initiatives
- Assist with the implementation of process and technology initiatives needed to comply with NYSDFS amendments
This article walks through several key pieces of the regulation and how using Own products and PwC services can help accelerate compliance with 23 NYCRR 500.
The NYDFS regulation emphasizes the importance of identifying where the highest-risk information assets are located. Data classification is foundational to the efficient and effective deployment of resources to protect sensitive data, particularly nonpublic information. However, without proper tooling, classifying Salesforce data can be an arduous task of manual configuration, field-by-field, through thousands of fields, or an exercise in spreadsheet gymnastics and bulk import/export operations.
Own Secure provides an efficient classification interface that includes the ability to bulk classify, sensitive field recommendations, field usage analysis, and export capabilities.
The enhanced NYDFS regulation highlights the crucial importance of BCDR planning and enumerates minimum requirements for a BCDR plan that all covered entities must comply with, especially maintaining and protecting backups, and being able to restore data rapidly and reliably from backups. The BCDR requirements include “The backups shall be adequately protected from unauthorized alterations or destruction,” “procedures for backing up or copying, with sufficient frequency, information essential to the operations of the covered entity and storing such information offsite,” and “procedures for the timely recovery of critical data and information systems to resume operations as soon as reasonably possible following a cybersecurity-related disruption to normal business activities.”
Not all backups are created equal, particularly for data stored in the cloud. Having forensic-quality copies of cloud data is essential to support regulatory compliance and incident response. The foundation of Own Recover is proactive forensic-quality preservation of SaaS data, along with associated metadata and logs, enabling organizations to be audit ready at all times.
For many organizations, backing up their Salesforce data daily is sufficient, risking up to a day’s worth of lost data. However, our High-Frequency Backup feature goes even further by backing up highly transactional, frequently changing data as often as every hour.
The updated NYDFS regulation added the requirement to implement and maintain data retention policies and procedures [Section 500.3 (b)]. Own Archive provides additional functionality for safely and securely offloading Salesforce data that must be retained for specific periods. Archive empowers organizations to define, automate, and manage their custom data retention policies, including what data should be archived, how frequently archiving should occur, and how long it is retained. If internal or external requirements change, the data retention policy can be quickly and easily updated in Archive, automatically adjusting the retention period on all applicable records. Benefits of using Archive for regulatory compliance include safely archiving immutable records in the cloud and securing sensitive legacy data to minimize risk and exposure.
To satisfy regulatory requirements, Own also has a capability called Blockchain Verify to compute a cryptographic signature for the forensic-quality copy and to store the signature in a public blockchain to support independent integrity verification.
The updated NYDFS regulation emphasizes recovery from backup for business continuity and disaster recovery (BCDR). However, the NYDFS definition of a “cybersecurity event” does not explicitly mention data loss or corruption. In practicality, data loss and corruption, especially those that go undiscovered, severely curtail or outright prohibit an organization from meeting BCDR goals. Own believes no company should lose data in the cloud, and our Recover solutions satisfy this requirement for backup and recovery of specific SaaS data.
Recovering data from backups quickly can help avoid weeks of downtime and costly disruption of business. The updated regulation requires a method to track Recovery Time Objectives (RTO) for each asset and notes that the list in [See Section 500.13 (a)(1) is not exhaustive. Covered entities may include additional items or exclude items that are not applicable, and Own recommends establishing Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO) to minimize business disruption and reduce the risk of data loss. Own customers can rapidly recover their SaaS data from backups, either fully or surgically down to a specific record or field without impacting new data.
The amended regulation also requires companies to not only have a process to back up and recover their data but also to annually test its effectiveness. PwC has control integration services to help companies formalize this process to provide evidence of compliance to this new component. PwC services also include Data Recovery Readiness and Recovery (DR3™) for Salesforce to help clients test and improve their recovery readiness maturity level, and provide documentation that they can use for regulatory reporting purposes.
The NYDFS updates include data protection requirements to limit the number of privileged accounts and their data access “to only those necessary to perform the user’s job” and to periodically “review all user access privileges and remove or disable accounts and access that are no longer necessary… and promptly terminate access following departures.” [Section 500.7].
Specialized solutions are needed to implement these requirements in SaaS environments efficiently and effectively. For instance, Own Secure for Salesforce provides a “Who Sees What” dashboard and associated historical reporting of this information critical for companies.
Secure for Salesforce also provides insights into privileged and stale accounts, directly addressing these requirements. In addition, Secure for Salesforce provides insights into multi-factor authentication (MFA) and single sign-on (SSO) usage and helps manage least privileged access. These security insights help comply with the regulatory requirement “To the extent passwords are employed as a method of authentication, the covered entity shall implement a written password policy that meets industry standards.” [Section 500.7]
Having the right automated solution is one element to implementing these requirements. The other is building out the formalized process to monitor privileged user activity and password settings in the system on a recurring basis. PwC’s control integration services help clients build control execution and testing procedures to identify privileged users and monitor their activity in the system. This monitoring not only helps mitigate risk but also helps maintain the environment's security posture.
In addition, PwC’s security design service can help clients identify and remediate user access issues based on the least privileged principles. For example, using instruments like Own Secure ‘Who Sees What Explorer’, our team can provide guidance on how to resolve security issues and propose ways to design security to make it scalable and repeatable and reduce the risk of exposure for the company.
The NYDFS regulation calls out the encryption of information in Section 500.15 on Page 13. Own Secure for Salesforce provides encryption acceleration for Salesforce Shield (an industry standard) and helps avoid breaking business workflows and reports that can arise when implementing encryption. PwC also provides a Salesforce Shield implementation service to help build and implement a field-level encryption strategy for our clients utilizing tools like Own Secure as an accelerator. Together, we can help comply with this requirement and reduce data exposure for companies.
Such solutions and controls add rigor to the management of access, not just access itself. Reducing the time and cost of implementing these requirements can leave additional budget for other priorities.
The updated NYDFS regulation includes requirements around security event alerting and monitoring for anomalous activities. To help detect potential problems impacting data, Own Recover provides Smart Alerts to detect unexpected deletion or corruption of data on various SaaS platforms, including Salesforce. In addition, Own has a comparative analysis capability across backups over time that provides visibility over deleted or altered/corrupted data and when. This comparative analysis capability can also be used to resolve questions about database integrity that arise after accidental damage or intentional tampering.
Own Secure for Salesforce also provides insights into objects that should be monitored (OTSBM) based on fields that are actually being used and are widely accessible by the user community.
Useful tips for improving security monitoring are presented in A Crawl, Walk, Run Approach to Salesforce Shield Event Monitoring.
Reporting - provable compliance
Own's data-centric approach across products provides deeper security insights and management, supplementing cybersecurity solutions that concentrate on infrastructure protection. Secure for Salesforce offers proof of compliance with Security Insights and an exportable PDF report that provides an overview of the current state of SaaS data hygiene, protection, and risk. Generating these reports provides valuable insights into how an organization’s security posture can be improved, helping fulfill annual reporting requirements that consider “plans for remediating material inadequacies.” The Time Machine feature gives a historical retrospective to track improvements in mitigating risks over time after the organization has taken steps to reduce risk to their SaaS data. These metrics are useful for demonstrating the efficacy of specific security measures, showing improvements in identifying risks, protecting data, monitoring, and preventing data exposure or loss. These insights can also help justify continued funding and resources related to Salesforce security.
Using the aforementioned tools, PwC can then support the proper setup and monitoring of users associated with APIs and service accounts. We analyze key system configurations and permissions via our controls integration service offering. This can help secure the application to help prevent unauthorized access and changes in the environment.
Efficient and effective compliance
The updated NYDFS regulation is an important step to prevent the risk of nonpublic information being lost or exposed by a cybersecurity event. Raising the bar for financial services companies makes sense but comes with a cost. Covered entities need solutions that reduce the time and cost of compliance, which is where Own can help.
Own Recover, available for Salesforce and other technology vendors, enables faster recovery and fewer data losses, providing a high customer return on investment for SaaS data. The added value of Blockchain Verify for third-party verification of regulatory compliance is specifically designed for financial services companies. Additionally, Own Secure for Salesforce helps reduce the time and cost of implementing Salesforce Shield, including restricting access to and accelerating encryption of sensitive data.
Combined with PwC service offerings, these solutions can provide an efficient and scalable solution to help comply with parts of this regulation.
Meet with us to learn how we can help you on your compliance journey. Book a meeting today.
© 2023 PwC. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general purposes only, and should not be used as a substitute for consultation with professional advisors.