Derek Anderson, Senior Sales Engineer; Dennis Faire, Principal Compliance Analyst; Scott Young, Product Marketing Manager
Today, Obsidian Security announces general availability for its NYDFS SaaS Security Posture Management (SSPM) compliance framework. This new release allows customers to navigate the complexity governing SaaS to prepare for upcoming compliance deadlines.
Financial services companies operating across banking, insurance, mortgages, cryptocurrency exchange, online lending, and more that do business in New York are subject to new SaaS security requirements in accordance with NYDFS Regulation (23 NYCRR 500). New requirements around this regulation go into effect later this year.
Known as Part 500, these directions clearly detail security requirements for any IT systems that store nonpublic information (NPI), especially when accessed externally, or for systems like email and file upload. Businesses run on SaaS, and applications like Microsoft 365, Google Workspace, and Salesforce must adhere to these newly defined requirements.
Validating compliance with NYDFS Part 500 presents a significant challenge for GRC and security teams, especially as securing and auditing SaaS environments introduces unfamiliar complexity. Despite this, regulators are already issuing fines.
Regulated data that once lived in tightly controlled on-prem environments now resides across SaaS and cloud platforms, making them the new frontline for cyber threats and regulatory risk. The NYDFS Cybersecurity Division has indicated that the agency conducts roughly 400 - 500 reviews annually.
If found out of compliance, fines may be levied for each separate violation. This means, in a case where thousands of documents are exposed, the maximum fine of $1,000 per violation can quickly total to millions in cumulative penalties.
At its core, Part 500 of the NYDFS cybersecurity regulation requires companies to implement a strong security program to protect against unauthorized access to sensitive data. This includes:
The rules outlined in this NYDFS cybersecurity regulation aren’t just about checking a box. They are designed to standardize the industry across best practices that prevent and minimize the impact of a breach. Data breaches represent fast-growing financial harm to consumers and risk destabilizing the financial system.
Manual approaches to meeting NYDFS Part 500 compliance does not scale for SaaS. These apps were designed for business, not IT. The result is sprawl, configuration drift, and difficulty monitoring the SaaS attack surface; made harder by BYOD and remote access.
Obsidian Security is the unified platform that finds and secures SaaS data and protects identities (human and non-human). The solution spans across all the pillars of NIST 2.0 from identification to remediation, giving GRC and IT scale through app owners.
Obsidian’s platform maps to key challenges solving for NYDFS Part 500 including:
Obsidian Security streamlines audits with the NYDFS Part 500 framework built into the SSPM solution to meet and show evidence of compliance. The unified platform allows GRC to view percent of passing controls, chosen applications in scope, and alerts with easy-to-read context for app owners to easily remedy violations. Easily download reports to prove adherence.
NYDFS is focused on cybersecurity, and non-compliance can result in significant fines, reputational damage, and increased regulatory scrutiny. To avoid this, GRC teams need to get serious about SaaS security, since these apps contain NPI and are the latest target among threat actors. Obsidian Security has seen a +300% increase in SaaS breaches across our participation in incident response.
With Obsidian Security, demonstrating your commitment to protecting customer data and staying compliant don’t have to be a burden to you and your business. Our unified platform spans SSPM and ITDR, providing complete SaaS data protection.
See for yourself how Obsidian can help your company meet NYDFS cybersecurity regulations. Request your demo now.
Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.
Get a Demo