Navigating NYDFS Regulations: User Access Reviews (UARs)

Navigating the regulatory landscape of the financial sector has always been challenging, and the evolving standards of the New York Department of Financial Services (NYDFS) are no exception. This blog post explores the NYDFS, the 23 NYCRR Part 500 cybersecurity regulations, and the newly introduced requirement for annual User Access Reviews (UARs) for financial institutions.

What is the New York Department of Financial Services (NYDFS)?

The New York Department of Financial Services (NYDFS) is a regulatory agency responsible for supervising and regulating financial services and products in the state of New York. Created in 2017, NYDFS oversees a wide range of financial entities, including:

1. Banks: Both state-chartered and foreign banks operating in New York.
2. Insurance Companies: Life, health, and property/casualty insurers.
3. Mortgage Brokers and Lenders: Entities involved in mortgage origination and servicing.
4. Financial Services Firms: Companies offering financial services like money transmitters.
5. Virtual Currency Businesses: Companies dealing with cryptocurrencies and virtual currencies.

The NYDFS aims to secure the financial system, protect consumers from financial fraud, and promote economic growth through regulation, enforcement, and policy development.

What is Cybersecurity Regulation, 23 NYCRR Part 500?

The 23 NYCRR Part 500 Cybersecurity Regulation is designed to enhance cybersecurity practices among financial institutions under NYDFS jurisdiction. Effective since March 1, 2017, it has undergone multiple amendments.

Key Elements of the Regulation:

• Cybersecurity Program: Entities must implement and maintain a cybersecurity program based on risk assessment.
• Chief Information Security Officer (CISO): Designate a CISO to oversee compliance.
• Vulnerability Management: Conduct regular penetration testing and automated monitoring.
• User Access Reviews (UARs): Perform annual reviews and implement Privilege Access Management (PAM).
• Multi-factor Authentication (MFA): Required for privileged accounts and sensitive applications.
• Cybersecurity Awareness Training: Conduct annual, risk-based training.
• Centralized Logging & Security Alerts: Use solutions for event logging and alerting.

New Requirement: Annual User Access Reviews (UARs)

Recent amendments now mandate annual UARs for all financial institutions under NYDFS jurisdiction. This requirement, part of section 500.7, focuses on access privileges and management:

1. Limit user access to only what is necessary for job performance.
2. Restrict the use and functions of privileged accounts.
3. Annually review all user access privileges.
4. Disable or securely configure protocols for remote device control.
5. Promptly terminate access for departing employees.

Challenges in Implementing UARs

Many financial institutions face challenges due to self-hosted applications or systems without APIs, making UARs a manual, time-intensive process. This increases the risk of errors, delayed anomaly detection, and reactive incident responses.

Recommended Tools for UARs:

• Identity Governance and Administration (IGA) Tools: Solutions like SailPoint or Saviynt streamline the UAR process.
• Identity Security Solutions: Use tools like Okta or Microsoft Entra ID for lifecycle management.
• File Operations Tools: Consider solutions like Aquera for accurate data extraction, transformation, and loading.

Complimentary Workshop

Our advisory team offers a complimentary half-day workshop to help you navigate UAR processes or other NYDFS compliance requirements. Contact us to schedule your session.

Conclusion

The amended NYDFS regulations bring stricter requirements for financial institutions operating in New York. While compliance can be complex, our identity consultants specialize in implementing solutions that align with regulatory needs while enhancing identity security programs.

If you’d like to learn more, reach out to our team today!