New York State’s Department of Financial Services is warning all regulated entities has released a Cybersecurity Regulation Updates and Reminder warning all companies that all regulated entities without a full exception that they must have an account and identity management program in place that implements the concepts of least privilege and periodic privilege review by May 1, 2025.
The Cybersecurity Regulation Updates and Reminder warning is targeted to companies regulated by 23 NYCRR Part 500, which applies to all financial institutions, insurance companies, brokers, lenders and money transmitters operating in New York.
Least privilege is an important element of a cybersecurity program because, as people’s roles change over time, they usually retain the access privileges they had with their former role and take on additional privileges for their new role. After a few years, they have acquired access to virtually the entire domain of an organization even though they only need access to a small portion of that domain to fulfill 90% of their day-to-day work obligations. From an efficiency perspective this may seem reasonable because they are trusted individuals, and it makes access for the 10% of the time they need it much easier to achieve.
But this strategy poses a problem should their credentials be compromised. Anywhere a compromised user can go, so too can a malicious threat actor, using their credentials. An easy way to think about this is to think about physical keys. Should every lock be accessible by a master key? How many employees really need a master key or could they get by to on one to front door and another to their department? What are the risks if that master key is stolen?
A better strategy is to restrict access to only the systems a user needs to access to do their day-to-day job. Even staff in the Information Technology department rarely need global administrator access for most of their work. Best practice is to issue these super users two accounts:. One one to do their day-to-day work with limited privileges and the other for the rare occasions they need greater access to the systems.
These enhanced access accounts, or administrator accounts, are typically closely monitored, and their activities are logged to ensure no one is abusing the privilege. In many cases, the passwords are reset after use so when and if they are used is carefully regulated. Obviously, this is more cumbersome than issuing a master key to everyone, but it compartmentalizes any security event to only the systems accessible to that account and this protection is worth the extra aggravation.
For larger organizations (Class A companies) and standard entities, the new regulation also requires the implementation of a vulnerability management program (500.5(a)(2)) and implementation of controls to protect against malicious code. (500.14(a)(2)). DFS generally would like to see this process automated, so it is less subject to human error, but the regulation allows for manual review where automation is not practical. We can help document these decisions to protect your organization should these decisions ever be reviewed following a security event.
May 1 is approaching soon and it takes time to conduct access reviews and implement policies and procedures to support these programs.
