New York’s Cybersecurity Regulation Requires Changes by May 1, 2025
As part of its ongoing efforts to strengthen cybersecurity across regulated industries, the New York Department of Financial Services (“NYDFS”) has set a critical deadline for businesses under its jurisdiction. By May 1, 2025, all entities regulated under 23 NYCRR Part 500 must implement an account and identity management program that aligns with the principles of least privilege and includes regular privilege reviews. This requirement is especially important for financial institutions, insurance companies, brokers, lenders, and money transmitters operating in New York.
The concept of least privilege is a fundamental element of any solid cybersecurity strategy. It ensures that individuals within an organization only have access to the specific data and systems necessary for them to do their job, and nothing more. Over time, employees often retain access to systems or data related to previous roles, even as their responsibilities change. This can lead to situations where, years into their tenure, employees possess unnecessary access to vast parts of an organization’s network. While this might seem efficient from a management perspective, after all, trusted employees can easily access the resources they might occasionally need, it introduces significant risks.
If an employee’s credentials are compromised, the malicious actor can exploit the access that individual holds, potentially gaining control over far more than just the information needed for their current duties. It’s similar to giving someone a master key that opens every door in the office building when all they really need is access to their own department. The risk of that key being lost or stolen is substantial. The goal of least privilege is to limit exposure by providing access only to what is necessary for each employee’s specific role.
This approach is more secure but does require additional effort. For example, in the case of IT administrators, it is best practice to issue two separate accounts, one for their routine tasks with limited privileges and another for when they need elevated access. These higher-level accounts are typically closely monitored and their activities are logged to ensure there is no misuse. While this may seem more cumbersome than providing blanket access, it significantly reduces the risk in the event of a security breach by limiting the systems affected to those accessible by the compromised account.
Alongside these access management requirements, the new regulations also impose additional mandates for larger entities, including the implementation of a vulnerability management program and controls to guard against malicious code. While automation is preferred for these processes to minimize human error, manual reviews are allowed in cases where automation is not feasible. Keeping accurate records of these decisions is critical to ensure your business is protected should it face scrutiny after a security event.
With the May 1, 2025, deadline approaching, it’s essential for all affected businesses to start preparing now. Implementing a robust account and identity management program and ensuring periodic privilege reviews can take time. It’s also critical to update internal policies and procedures to support these new requirements. Failure to comply could leave your business exposed to cybersecurity risks and potential regulatory penalties.
Compliance Recommendation.
To meet the NYDFS deadline, businesses should begin by reviewing and updating their access control policies, ensuring they are aligned with the principle of least privilege. Conduct regular access reviews to ensure employees only have the necessary permissions for their current roles. Additionally, ensure that proper procedures are in place to monitor and audit administrative access. If your organization is a Class A or standard entity, make sure to implement a vulnerability management program and establish controls against malicious code, keeping in mind the importance of documentation for any manual processes. Starting these efforts early will help ensure that you meet the May 1, 2025, deadline and maintain a strong cybersecurity posture.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.