How to Meet NYDFS Section 500.7 Amendment Requirements

The New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation is a set of comprehensive cybersecurity requirements that apply to financial institutions operating in New York. The goal of the regulation is to ensure that the cybersecurity programs of financial institutions have robust safeguards in place to protect customer data and the financial sector. 

On November 1, 2023, the NYDFS finalized an amendment to its cybersecurity regulation that expands cybersecurity requirements across many areas, including access management. The update imposes two requirements for “Class A Companies” (read: large organizations) in Section 500.7. This section of the amendment specifies updated requirements regarding Access Privileges and Management:

Class A companies must:

(1) implement a privileged access management solution;
(2) automatically block common passwords for information system accounts. If the latter requirement is not feasible, then the covered entity’s CISO must provide annual written approval for the infeasibility and use of alternative controls.

While this applies to Class A companies, the full amendment also includes additional requirements for all companies:  

The Amendment expands the requirements for access privileges, adding “and Management” to the title of the Section. The Amendment imposes the requirements that a covered entity must: 

(1) limit user access privileges to nonpublic information to only those necessary to perform the user’s job; 
(2) limit the number of privileged accounts and access functions of those accounts to only those necessary to perform the user’s job; 
(3) only permit use of privileged accounts when performing functions requiring that access; 
(4) annually review all user access privileges and remove or disable unnecessary accounts or access; 
(5) disable or securely configure all protocols that permit remote device control; and 
(6) promptly terminate access after departures.

If passwords are used for authentication, the Amendment requires that covered entities implement a written password policy that complies with industry standards.

Section 500.7: Breaking down the new requirements

The new requirements imposed by the amendment to Section 500.7 can be broken down into a few key categories:

The Principle of Least Privilege (PoLP) is an access management methodology that’s focused on ensuring that user privileges are limited to the minimum required for the user to do his/her job. In the case of NYDFS regulations, this definition is extended to include the data that the user can access as well. That means organizations must actively manage the tools and systems users have access to, as well the data that can be accessed in those systems.

Just-in-Time Access is focused on access to systems that only exists in the moments that it’s needed, and that access is deprovisioned as soon as it is not needed. NYDFS mandates that just-in-time access is applied across privileged accounts, ensuring that privileged accounts are not available when users are not performing functions that require access. 

Privileged Access is a category of Identity and Access Management (IAM) that is primarily focused on securing accounts with elevated privileges. The amendment to NYDFS requires that Class A Companies implement a privileged access management solution, such as StrongDM, and implement workflows and processes that disable or remove all unnecessary privileges, including those for users terminated or that depart the organization. 

Meet the Updated NYDFS Requirements with StrongDM

StrongDM delivers a Zero Trust PAM platform that fulfills the “implementation of a PAM” requirements, while also delivering the critical features required for PoLP, Just-in-Time access, and privileged access. Specifically:

To learn more about how StrongDM can help you meet the updated requirements of NYDFS, you can sign up for a demo here.