Ready to meet New York State's updated cybersecurity requirements?

If you are using Salesforce to manage customer data, Own Company can help you with this compliance journey.

Book a meeting to learn more

The New York State Department of Financial Services (NYDFS) has updated the 23 NYCRR 500 regulation titled “Cybersecurity Requirements for Financial Services Companies.” Companies must be able to provide documentation of compliance with the majority of updated requirements, which include the following:

  • Asset inventory, data classification/sensitivity and encryption

  • Complete an annual independent audit of the cybersecurity program

  • Implement a privileged access management solution

  • Solutions and controls to prevent usage of common passwords

  • Implement a detection and response system (XDR)

  • The storage of backups isolated from client network connections and annual testing

  • Require users to authenticate via Multi-Factor Authentication (MFA)

  • Monitor for anomalous activity and generate alerts

  • Incident response and business continuity management

  • Documentary evidence demonstrating compliance

corporate handshake
tall building

Larger companies (“Class A” companies), with aggregate revenue from New York operations and over $1 billion globally, or 2,000 employees globally, must also:

  • Complete an annual independent audit of cybersecurity program

  • Implement a privileged access management solution and controls to prevent the usage of common passwords for privileged accounts

  • Implement an end-point detection and response system to monitor for anomalous activity and generate alerts

  • Implement an end-point detection and response system to monitor for anomalous activity and generate alerts

  • Enhance business continuity and disaster recovery protocols, including the identification of critical data, the storage of backups isolated from client network connections, and annual testing

  • Require users to authenticate via Multi-Factor Authentication

The regulation also requires a compliance filing, with supporting documentary evidence, which raises the risk of firms falling short and incurring millions in fines. Companies must also implement new controls, increase the frequency of existing cyber controls, and ensure that their compliance with the regulation is documented.

How Own can help ensure NYDFS compliance for Salesforce:

secure

Least privileged access management solution (section 500.7 on pages 8-9) Encryption (section 500.15 on page 12)
Data Classification/Sensitivity (section 500.13, page 12)

archive

Data retention requirements (section 500.3 on page 5 and section 500.13 on pages 11-12)

recover

Backup and recovery (section 500.16 on pages 13-15)

Key Features

Data classification

Identify where your highest-risk information assets are located in Salesforce.

Data retention

Archive immutable records in the cloud and secure sensitive legacy data.

Privileged access

Implement privileged access management solution and proactively limit and secure user access to sensitive information.

Encryption

Implement encryption of nonpublic information at rest or in transit.

Risk Assessment

Identify and prioritize cybersecurity risks to organizational operations and critical data.

Incident response, business continuity,
and disaster recovery

Maintain and secure backups while being able to reliably and rapidly restore data.

Event Monitoring

Detect potential issues causing data exposure and deletion or corruption of data.

Reporting and provable compliance

Document current state of data security, and highlight risks for planned remediation.

Learn how Own can help you identify data exposure risks and proactively take action to protect and secure your data.

Salesforce Data Security: Your Blueprint for Success in 2023 featuring PwC

Watch this exclusive webinar with Salesforce and PwC to explore what the blueprint for SaaS data security looks like in 2023, how to reduce the impact of data breaches, and the importance of ‘zero-trust’ in cloud security.

Watch the recording

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo