NYDFS Regulation: What It Means for Access Controls and How to Comply


The New York Department of Financial Services (NYDFS) is considered a nationwide leader in cybersecurity standards and is known for having the strictest regulations in the country for how financial services companies must handle and protect sensitive data. But as stringent as New York’s standards are, companies operating in the state are still experiencing data breaches that harm consumers and businesses. So the department recently issued a significant amendment to its cybersecurity regulations, known as 23 NYCRR Part 500. Among other cybersecurity measures, the amendment requires tighter controls for privileged access—including enforcement of just-in-time (JIT) access—and more regular user access reviews and reporting. 

In its own words, the NYDFS amended Part 500 to respond to “significant changes in the cybersecurity landscape” since the regulations were established in 2017: “threat actors have become more sophisticated and prevalent,” “cyber attacks have become easier to perpetrate” and “more expensive to remediate,” and “more and better controls are available to manage cyber risk at reasonable cost.” 

The new standards are meant to address this new reality both proactively and reactively, with requirements for identifying and mitigating potential risks before they can be exploited as well as those for detecting, reacting to, and recovering from events.

Reducing standing privileges and running more access reviews

Some requirements have already gone into effect, and most will be rolled out over the next 6 to 18 months. By May of next year, companies will need to certify their compliance with a majority of the regulations, including having solutions in place for monitoring and decreasing privileged access, running detailed access reviews at least once a year, and quickly removing any unnecessary access turned up by those reviews.

The amendment’s access control stipulations follow the principle of least privilege, which aims to limit risk by granting access to sensitive data only to those users who need it and only for as long as is necessary for those users to perform their jobs. The fewer users with privileged access at any given time, the fewer opportunities for that access to be exploited.

The challenge for many companies charged with meeting these requirements will be adequately enforcing control and running efficient reviews of access across complex environments that can include both cloud and on-prem apps and infrastructure, HR directories, backoffice systems, and more. In the case of financial services companies in particular, legacy and more modern systems often exist side by side—getting a clear, comprehensive understanding of who has access to what within those systems can be a daunting task.

Creating visibility and moving to just-in-time access

If you’re responsible for complying with the new Part 500 amendments, a best first step is to, as much as possible, pull all application identities, access, and authorization data from your systems together under one view that allows you to see fine-grained permissions, roles, groups, and their relationships. Centralizing and contextualizing this information brings identity- and permission-based threats out of the dark and enables you to quickly identify unnecessary privileged access.

Next, find and remove any unused or orphaned accounts and establish a clear protocol for how role changes and offboarding will be managed going forward, to make sure deprovisioning will be quick and comprehensive.

Finally, catalog which of your systems house sensitive data and who has privileged access to that data. Then shift those privileges to time-bound access. This entails removing all unnecessary standing privileges and then enabling users who periodically need privileged access to request it just for the time required to perform their job. 

The trick here is balancing productivity with security. Manual provisioning and deprovisioning of just-in-time (JIT) access can quickly create a ticket backlog. If users can’t get the access they need when they need it, productivity will suffer. And if access isn’t removed as soon as it’s no longer necessary, those privileges will be a risk—and you’ll be out of compliance. Putting solutions in place that allow you to configure JIT access policies and automate requests, approvals, provisioning, and deprovisioning will be critical to success. 

Learn more: How Ramp implemented least privilege access

Automating access reviews

The NYDFS amendment stipulates that companies must conduct annual user access reviews but recommends performing them more often. Running regular access reviews is just best practice—they allow you to proactively identify accounts that need attention. But the number of SaaS and IaaS applications used by today’s companies, each with its own set of users and permissions, has exponentially increased the complexity of running reviews. 

Automation is key to reducing the time, effort, and cost involved and making reviews more frequent. Use automation to replace slow manual processes like data collection, certification compilation, notifications, access changes, and access change verifications, and to streamline processes for reviewers. Automation will also help you mitigate errors, producing faster, easier, and more accurate reviews.  

Learn more: How DigitalOcean reduced identity security risk by automating user access reviews

A zero trust approach to cybersecurity

Overall, the Part 500 amendment signals a move toward zero trust protocols in modern cybersecurity. Beyond the core component of stricter access controls, the new regulations also require companies to protect against malicious code, conduct internal vulnerability testing, implement endpoint detection and response, establish more robust MFA requirements, and train staff in cybersecurity awareness, including how to spot and avoid social engineering attacks. 

All of which acknowledge the reality that attacks are getting exponentially more sophisticated, and companies must be prepared for some human and technological defenses to inevitably fail. Moving forward, zero trust–informed best practices will include moving to a zero standing privilege access model and complementing access controls with strong authentication safeguards like biometric-based passkeys and multiparty authentication for access to internal networks. The NYDFS amendments are a step in this direction and put companies on the right path to protecting their own and their customers’ sensitive data.

Learn more: Zero trust in practice: How we keep customer data secure at ConductorOne 

More detailed information about the new requirements, when they go into effect, and how to certify your compliance is available from the NYDFS. To learn more about how ConductorOne can help you implement just-in-time access and automate access reviews, chat with us