Andrea Acciarri (US), PwC Partner, Cyber, Risk & Regulatory
Bob Clark, PwC Partner, Cyber, Risk & Regulatory
Brandon Talisesky, PwC Senior Manager, Consulting Solutions, Cyber, Risk & Regulatory
Ed Ponte, OwnBackup, Secure for Salesforce Product Manager
Eoghan Casey, OwnBackup VP, Cybersecurity & Product Development
Michelle Collignon, OwnBackup Sr. Director, Strategic Partnerships
To keep pace with the growing problem of data breaches and data loss impacting financial services companies in recent years, the New York State Department of Financial Services (NYDFS) is updating the 23 NYCRR 500 regulation titled “Cybersecurity Requirements for Financial Services Companies.” The updates are substantial, encompassing asset inventory, risk assessment, multi-factor authentication (MFA) implementation, business continuity and disaster recovery (BCDR), governance, and CEO/CISO certification. Companies have one year to comply with the updated regulation.
Larger companies (“Class A” companies), with aggregate revenue from New York operations over $20 million, over $1 billion globally, or 2,000 employees globally, must:
- Complete an annual external audit of the cybersecurity program.
- Use external experts to conduct a risk assessment at least once every three years.
- Implement an access management password solution and controls to prevent the usage of common passwords for privileged accounts.
- Implement an end-point detection and response system to monitor for anomalous activity and generate alerts.
The regulation also requires a compliance filing, which raises the risk of firms falling short and incurring millions in fines. In addition, when amendments take effect, companies must implement new controls, increase the frequency of existing cyber controls, and ensure that they document compliance with the regulation.
While this regulation applies to financial services and insurance companies operating in New York, it will likely have an impact beyond New York borders. PwC and OwnBackup have entered into a Collaboration Agreement to help companies with their data protection and security journeys. If you are using Salesforce to manage your customers’ data, PwC and OwnBackup can help you accelerate compliance with this revised NYDFS regulation.
PwC has deep professional experience in NYSDFS compliance. PwC can help:
- Assess your cybersecurity programs to determine compliance gaps and provide remediation initiatives
- Assist with the implementation of process and technology initiatives needed to comply with NYSDFS amendments
This article walks through several key pieces of the regulation and how using OwnBackup products and PwC services can help accelerate compliance with 23 NYCRR 500.
The NYDFS regulation emphasizes the importance of identifying where the highest-risk information assets are located. Data classification is foundational to the efficient and effective deployment of resources to protect sensitive data, particularly nonpublic information. However, without proper tooling, classifying Salesforce data can be an arduous task of manual configuration, field-by-field, through thousands of fields, or an exercise in spreadsheet gymnastics and bulk import/export operations.
OwnBackup Secure provides an efficient classification interface that includes the ability to bulk classify, sensitive field recommendations, field usage analysis, and export capabilities.
The enhanced NYDFS regulation highlights the crucial importance of BCDR planning and enumerates minimum requirements for a BCDR plan that all covered entities must comply with, especially maintaining and protecting backups, and being able to restore data rapidly and reliably from backups. The BCDR requirements include “maintaining backups that are adequately protected from unauthorized alterations or destruction,” “procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the covered entity and storing of the information offsite,” and “back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible following a disruption to normal business activities.”
Not all backups are created equal, particularly for data stored in the cloud. Having forensic-quality copies of cloud data is essential to support regulatory compliance and incident response. The foundation of OwnBackup Recover is proactive forensic-quality preservation of SaaS data, along with associated metadata and logs, enabling organizations to be audit ready at all times.
For many organizations, backing up their Salesforce data daily is sufficient, risking up to a day’s worth of lost data. However, our High-Frequency Backup feature goes even further by backing up highly transactional, frequently changing data as often as every hour.
OwnBackup Archive provides additional functionality for safely and securely offloading Salesforce data that must be retained for specific periods. Archive empowers organizations to define, automate, and manage their custom data retention policies, including what data should be archived, how frequently archiving should occur, and how long it is retained. If internal or external requirements change, the data retention policy can be quickly and easily updated in Archive, automatically adjusting the retention period on all applicable records. Benefits of using Archive for regulatory compliance include safely archiving immutable records in the cloud and securing sensitive legacy data to minimize risk and exposure.
To satisfy regulatory requirements, OwnBackup also has a capability called Blockchain Verify to compute a cryptographic signature for the forensic-quality copy and to store the signature in a public blockchain to support independent integrity verification.
The updated NYDFS regulation emphasizes recovery from backup for business continuity and disaster recovery (BCDR). However, the NYDFS definition of a “cybersecurity event” does not explicitly mention data loss or corruption. In practicality, data loss and corruption, especially those that go undiscovered, severely curtail or outright prohibit an organization from meeting BCDR goals. OwnBackup believes no company should lose data in the cloud, and our Recover solutions satisfy this requirement for backup and recovery of specific SaaS data.
Recovering data from backups quickly can help avoid weeks of downtime and costly disruption of business. The updated regulation alludes to recovery time requirements [See Section 500.13 (a)(1)(v)], which can be formalized in terms of Recovery Time Objective (RTO), and Recovery Point Objective (RPO) to reduce the risk of data loss. OwnBackup customers can rapidly recover their SaaS data from backups, either fully or surgically, down to a specific record or field without impacting new data.
The NYDFS updates include data protection requirements “to limit the number and use of privileged accounts, review user access privileges and remove accounts and access that is no longer needed... Also, where passwords are used as a method of authentication, strong, unique passwords must be utilized.” [Section 500.7].
Specialized solutions are needed to implement these requirements in SaaS environments efficiently and effectively. For instance, OwnBackup Secure for Salesforce provides a “Who Sees What” dashboard and associated historical reporting of this information critical for companies.
Secure for Salesforce also provides insights into privileged and stale accounts, directly addressing these requirements. In addition, Secure for Salesforce provides insights into multi-factor authentication (MFA) and single sign-on (SSO) usage and helps manage least privileged access.
Having the right automated solution is one element to implementing these requirements. The other is building out the formalized process to monitor privileged user activity and password settings in the system on a recurring basis. PwC’s control integration services help clients build control execution and testing procedures to identify privileged users and monitor their activity in the system. This monitoring not only helps mitigate risk but also helps maintain the environment's security posture.
In addition, PwC’s security design service can help clients identify and remediate user access issues based on the least privileged principles. For example, using instruments like OwnBackup Secure ‘Who Sees What Explorer’, our team can provide guidance on how to resolve security issues and propose ways to design security to make it scalable and repeatable and reduce the risk of exposure for the company.
The NYDFS regulation calls out the encryption of information in Section 500.15 on Page 12. OwnBackup Secure for Salesforce provides encryption acceleration for Salesforce Shield (an industry standard) and helps avoid breaking business workflows and reports that can arise when implementing encryption. PwC also provides a Salesforce Shield implementation service to help build and implement a field-level encryption strategy for our clients utilizing tools like OwnBackup Secure as an accelerator. Together, we can help comply with this requirement and reduce data exposure for companies.
Such solutions and controls add rigor to the management of access, not just access itself. Reducing the time and cost of implementing these requirements can leave additional budget for other priorities.
The updated NYDFS regulation includes requirements around security event alerting and monitoring for anomalous activities. To help detect potential problems impacting data, OwnBackup Recover provides Smart Alerts to detect unexpected deletion or corruption of data on various SaaS platforms, including Salesforce. In addition, OwnBackup has a comparative analysis capability across backups over time that provides visibility over deleted or altered/corrupted data and when. This comparative analysis capability can also be used to resolve questions about database integrity that arise after accidental damage or intentional tampering.
OwnBackup Secure for Salesforce also provides insights into objects that should be monitored (OTSBM) based on fields that are actually being used and are widely accessible by the user community.
Useful tips for improving security monitoring are presented in A Crawl, Walk, Run Approach to Salesforce Shield Event Monitoring.
Reporting - provable compliance
OwnBackup's data-centric approach across products provides deeper security insights and management, supplementing cybersecurity solutions that concentrate on infrastructure protection. Secure for Salesforce offers proof of compliance with Security Insights and an exportable PDF report that provides an overview of the current state of SaaS data hygiene, protection, and risk. Generating these reports provides valuable insights into how an organization’s security posture can be improved, helping fulfill annual reporting requirements that consider “plans for remediating material inadequacies.” The Time Machine feature gives a historical retrospective to track improvements in mitigating risks over time after the organization has taken steps to reduce risk to their SaaS data. These metrics are useful for demonstrating the efficacy of specific security measures, showing improvements in identifying risks, protecting data, monitoring, and preventing data exposure or loss. These insights can also help justify continued funding and resources related to Salesforce security.
Using the aforementioned tools, PwC can then support the proper setup and monitoring of users associated with APIs and service accounts. We analyze key system configurations and permissions via our controls integration service offering. This can help secure the application to help prevent unauthorized access and changes in the environment.
Efficient and effective compliance
The updated NYDFS regulation is an important step to prevent the risk of nonpublic information being lost or exposed by a cybersecurity event. Raising the bar for financial services companies makes sense but comes with a cost. Covered entities need solutions that reduce the time and cost of compliance, which is where OwnBackup can help.
OwnBackup Recover, available for Salesforce and other technology vendors, enables faster recovery and fewer data losses, providing a high customer return on investment for SaaS data. The added value of Blockchain Verify for third-party verification of regulatory compliance is specifically designed for financial services companies. Additionally, OwnBackup Secure for Salesforce helps reduce the time and cost of implementing Salesforce Shield, including restricting access to and accelerating encryption of sensitive data.
Combined with PwC service offerings, these solutions can provide an efficient and scalable solution to help comply with parts of this regulation.
Meet with us to learn how we can help you on your compliance journey. Book a meeting today.
© 2023 PwC. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general purposes only, and should not be used as a substitute for consultation with professional advisors.