ֿ

Fulfilling Access-Related NYDFS Cybersecurity Requirements

Entitle aligns with NYCRR 500 requirements, aiding financial companies with privilege management, third-party access limits, and incident response.

Find a time to chat
photo of document and dfs logo

What is the 23 NYCRR 500 Cybersecurity Requirement?

Recent attempts to exploit vulnerabilities for accessing sensitive electronic data highlight the potential financial losses for DFS-regulated entities and NY consumers. As a result, the NY Department of Financial Services emphasizes the need for regulatory standards that balance risk, technology, and protection. This regulation mandates personalized risk assessments, robust cybersecurity programs overseen by senior management, and annual compliance certifications, all aimed at safeguarding customer information and institutional integrity.

TL;DR - how Entitle can help

Section 500.7
Least privilege access and access reviews

Section 500.11(b1)
3rd-party service providers access controls

Section 500.16
Enabling break-glass access protocol

Section 500.14
Monitor unauthorized access

Flexible least privilege access

Section 500.7: "Each Covered Entity shall limit user access privileges to information systems that provide access to Nonpublic Information..."

Solution - multi-cloud just-in-time access
By automating the process of requesting, granting and revoking access, it becomes possible to provide and audit temporary and granular privileges.

workflows screen

Access review automation

Section 500.7: "...and shall periodically review such access privileges."

Solution - automated access reviews
Generate audit-ready reports by automatically collecting evidence and easily delegating reviews to relevant managers.

A screenshot of a table from Entitle

Limited third-party access

Section 500.11(b1): "The Third Party Service Provider’s policies and procedures for access controls....to limit access to relevant Information Systems and Nonpublic Information."

Solution - temporary 3rd-party access
Enforce access duration guardrails to ensure permissions are revoked when the job is done.

A screen of a table from Entitle

Privilege escalation for break-glass scenarios

Section 500.16: "Incident response plan shall address....the internal processes.... definition of clear roles, responsibilities.... external and internal communications and information sharing."

Solution - self-service privilege escalation for on-call teams
During incidents, on-call engineers and/or incident response teams can escalate their privileges to investigate and respond.

Monitoring unauthorized access

Section 500.14: "Implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users"

Solution - respond to unusual permissions
Feed your SIEM with audit logs through Entitle's API-first platform to identify anormal permissions. Your admins can easily flag, revoke, or keep permissions.

A screen of table from Entitle

We would be happy to help you comply with the NYDFS cybersecurity regulation

Find a time to chat