April 2, 2025

Summary

• NYDFS cybersecurity regulation Part 500 requires scoped entities to secure their critical systems—including SaaS—according to specific guidelines like MFA compliance
• Several firms have already been fined millions of dollars due to violations of NYDFS
• Deploying access policies, password requirements, and removing inactive SaaS accounts can help avoid penalties from expected enforcement in the near future
• Obsidian Security now includes NYDFS rules mapped to SaaS controls to easily audit and track adherence of your applications to this regulation

‍

NYDFS Mandate Establishes May and November 2025 Deadlines for SaaS

Today, Obsidian Security announces general availability for its NYDFS SaaS Security Posture Management (SSPM) compliance framework. This new release allows customers to navigate the complexity governing SaaS to prepare for upcoming compliance deadlines.

Financial services companies operating across banking, insurance, mortgages, cryptocurrency exchange, online lending, and more that do business in New York are subject to new SaaS security requirements in accordance with NYDFS Regulation (23 NYCRR 500). New requirements around this regulation go into effect later this year.

‍

Mandate for implementation by May 2025:

• Vulnerability Scans: discover, analyze, and report vulnerabilities at a frequency determined by their risk assessment, and promptly after any material system changes
• Review user access privilege: Include managing elevated privilege, prune for inactivity, strong authentication controls, and monitoring of these accounts

‍

Mandate for implementation by November 2025:

• Multi-Factor Authentication: necessary for any individual accessing any Information Systems, regardless of location, type of user, and type of information contained on the Information System being accessed
• Asset Inventory: Required to develop and maintain up-to-date inventories of Information Systems

Known as Part 500, these directions clearly detail security requirements for any IT systems that store nonpublic information (NPI), especially when accessed externally, or for systems like email and file upload. Businesses run on SaaS, and applications like Microsoft 365, Google Workspace, and Salesforce must adhere to these newly defined requirements.

‍

Penalties for Non-Compliance

Validating compliance with NYDFS Part 500 presents a significant challenge for GRC and security teams, especially as securing and auditing SaaS environments introduces unfamiliar complexity. Despite this, regulators are already issuing fines. 

• A 2023 consent order was filed against a crypto platform including $1.2M in fines for failure to perform an adequate risk assessment to identify and remediate vulnerabilities. 
• In 2024, a personal loan company was fined $4.2M citing multiple deficiencies. Violations include failure to maintain and review user privilege.
• Late 2024, an auto insurance company was fined $1.55M for lack of MFA, which left external-facing systems vulnerable to intrusion.

Regulated data that once lived in tightly controlled on-prem environments now resides across SaaS and cloud platforms, making them the new frontline for cyber threats and regulatory risk. The NYDFS Cybersecurity Division has indicated that the agency conducts roughly 400 - 500 reviews annually. 

If found out of compliance, fines may be levied for each separate violation. This means, in a case where thousands of documents are exposed, the maximum fine of $1,000 per violation can quickly total to millions in cumulative penalties.

‍

Adhering to NYDFS Compliance for SaaS

At its core, Part 500 of the NYDFS cybersecurity regulation requires companies to implement a strong security program to protect against unauthorized access to sensitive data. This includes:

• Risk Assessment – Build comprehensive asset inventory for known SaaS and shadow SaaS. Identify vulnerabilities in applications processing nonpublic information (NPI). Map how external systems and users access applications and the data flow between all integrations for each SaaS in scope.
• Threat Detection and Response – Reduce incident dwell time from internal risks and external attacks, normalizing data across SaaS to provide continuous monitoring and detections to overcome limitations from native SaaS logs and tooling. NYDFS has a 72-hour breach notification window.
• Access Privileges and Management – Manage elevated privilege for human and non-human identities in SaaS. Assess access controls for privileged accounts and do not forget to prune idle users and integrations.
• Multi-Factor Authentication (MFA) – Enforce MFA across IdPs and SaaS. Prove users are properly enrolled into corporate-defined security controls. Terminate local access, or monitor for CISO approved, MFA-exempt accounts.
• Third-Party Risk Management – Evaluate the security posture of all third-party SaaS providers, ensuring they meet your organization’s security expectations and NYDFS standards. This includes contractual controls, due diligence (vendor questionnaires), and continuous monitoring for abnormal behavior in connected systems or contractors.

The rules outlined in this NYDFS cybersecurity regulation aren’t just about checking a box. They are designed to standardize the industry across best practices that prevent and minimize the impact of a breach. Data breaches represent fast-growing financial harm to consumers and risk destabilizing the financial system.

‍

Obsidian Security Simplifies Compliance for NYDFS Part 500

Manual approaches to meeting NYDFS Part 500 compliance does not scale for SaaS. These apps were designed for business, not IT. The result is sprawl, configuration drift, and difficulty monitoring the SaaS attack surface; made harder by BYOD and remote access.

Obsidian Security is the unified platform that finds and secures SaaS data and protects identities (human and non-human). The solution spans across all the pillars of NIST 2.0 from identification to remediation, giving GRC and IT scale through app owners.

Obsidian’s platform maps to key challenges solving for NYDFS Part 500 including:

• Inventory and Govern SaaS: Identify federated and unfederated apps via the browser, app-to-app integrations, and business inboxes. Block unauthorized SaaS to stop sprawl.
• Manage Integration Privilege: Review all non–human integrations connected to core SaaS with Integration Risk Manager for excess privilege and inactivity.
• Monitor Local Accounts: Exclude unauthorized local access to federated applications. Leverage data from browser to determine local vs IdP login across key SaaS like Salesforce, Snowflake, and Workday.
• Enforce MFA: Ensure MFA and access policies are in place across IdP and SaaS, including identification of local accounts and monitoring those exempted by the CISO.
• Detect and Respond to SaaS Threats: Alerting to threats near real-time and pivot into a purpose-built incident response platform to determine materiality.
• Automate Compliance Tracking and Reporting: Map NYDFS controls to all SaaS in Obsidian to identify gaps, benchmark progress, and simplify remediation for app owners.

Obsidian Security streamlines audits with the NYDFS Part 500 framework built into the SSPM solution to meet and show evidence of compliance. The unified platform allows GRC to view percent of passing controls, chosen applications in scope, and alerts with easy-to-read context for app owners to easily remedy violations. Easily download reports to prove adherence.

‍

How to Start SaaS Security to Meet NYDFS Part 500 Requirements

NYDFS is focused on cybersecurity, and non-compliance can result in significant fines, reputational damage, and increased regulatory scrutiny. To avoid this, GRC teams need to get serious about SaaS security, since these apps contain NPI and are the latest target among threat actors. Obsidian Security has seen a +300% increase in SaaS breaches across our participation in incident response. 

With Obsidian Security, demonstrating your commitment to protecting customer data and staying compliant don’t have to be a burden to you and your business. Our unified platform spans SSPM and ITDR, providing complete SaaS data protection.

See for yourself how Obsidian can help your company meet NYDFS cybersecurity regulations. Request your demo now.