It was announced on 1 November 2023 that financial services companies and insurers doing business in New York have months to comply with new cybersecurity requirements published by the Department of Financial Services (NYDFS). These updated requirements, which have significant implications for organizations that leverage SaaS applications, reinforce the high level of data security, operational resilience, and service quality that financial services companies already maintain.
Own Company (formerly OwnBackup) can help customers quickly bring their SaaS data into compliance by protecting the security, integrity, and availability of nonpublic information in Salesforce, ServiceNow, and Microsoft Dynamics 365. Below are several requirements of the regulation that impact how organizations manage their SaaS data, along with ways that Own can help:
SaaS Data Availability & Recovery
The enhanced NYDFS cybersecurity regulation emphasizes the importance of backing up data and testing the ability to restore in a timely manner. Covered entities are required to track key information for each asset, including Recovery Time Objectives (RTO), which helps minimize business disruption and downtime. The regulation also requires organizations to back up information essential to maintaining operations with sufficient frequency to minimize data loss.
Own Recover backs up SaaS data and metadata automatically and on-demand, and enables customers to restore rapidly, either fully or down to a specific record or field, without impacting new data.
Organizations that rely on ServiceNow for maintaining infrastructure can use Own Recover to back up data that supports IT services (ITSM) and operations (ITOM), ensuring their availability and integrity when troubleshooting problems. When an IT problem causes a service disruption, and IT support staff cannot access ServiceNow, it can take longer to resolve the problem, increasing the negative impact on consumer confidence and competitiveness, directly impacting a bank’s bottom line.
The NYDFS cybersecurity regulation specifies that backups be stored offsite and protected from unauthorized alterations or destruction. Own preserves backups in secured cloud-based environments that remain accessible even when SaaS provider systems are not. For business continuity purposes, including ransomware readiness, the new Own Discover product enables customers to have instant and easy access to their data, structured identically to Salesforce, to which the customer can bring reporting tools and even homegrown apps.
Organizations that rely on Salesforce for customer-facing services and support can use Own products to ensure that critical information is available even when an IT incident occurs. Organizations can maintain their competitiveness and consumer confidence by minimizing disruption and downtime, impacting the quality of customer service.
The NYDFS cybersecurity regulation also requires covered entities to “periodically, but at a minimum annually, test its ability to restore its critical data and information systems from backups.” Own solutions include Data Recovery Readiness and Response (DR3™) for SaaS, helping customers exercise their SaaS data recovery operations and rebound quickly with a combination of processes, people, and technology.
SaaS Data Security & Privacy
A critical component of a regulatory compliance program is to conduct regular risk assessments to determine the most critical areas to concentrate on. Own Secure for Salesforce streamlines implementation of regulatory requirements with automation and security insights. This includes requirements in the NYDFS Regulation for data classification, least privileged access, data retention, encryption, and monitoring. Own’s Security & Governance team works with Secure customers to identify and prioritize risks in their SaaS environments.
SaaS Data Monitoring & Alerting
The importance of monitoring for anomalous activity applies to any information system, including SaaS environments. The NYDFS cybersecurity regulation requires monitoring activities on information systems to “detect unauthorized access or use of, or tampering with, nonpublic information by such authorized users.”
Own Secure alerts of high-risk permissions help satisfy the requirement that “Class A companies shall monitor privileged access activity” and require a mechanism to manage privileged access. Secure also provides insights into objects that should be monitored (OTSBM) based on fields that are actually being used and are widely accessible by the user community.
Own Recover performs analysis of data changes between backups that provides visibility of data modifications over time. In addition, to help customers detect potential problems more quickly, Own Recover generates Smart Alerts to notify customers of abnormally large amounts of data being deleted or corrupted.
SaaS Data Retention
The need for data retention is addressed in the NYDFS cybersecurity regulation. Own Archive enables organizations to safely and securely offload SaaS data that must be retained for specific periods. Archive empowers organizations to define, automate, and manage their custom data retention policies, including what data should be archived, how frequently archiving should occur, and how long it is retained. If internal or external requirements change, the data retention policy can be quickly and easily updated in Archive, automatically adjusting the retention period on all applicable records. Benefits of using Archive for regulatory compliance include safely archiving immutable records in the cloud and securing sensitive legacy data to minimize risk and exposure.
Compliance Reporting
Own solutions provide documentation of current SaaS data security and resiliency, which customers can use for reporting to regulatory authorities.
Conclusion
The updated NYDFS regulation is an important step to prevent the risk of nonpublic information being lost or exposed by a cybersecurity event. The increased emphasis on business continuity, incident response, and timely recovery supports the availability and reliability of critical financial services. Raising the bar for financial services companies makes sense but comes with a cost. Covered entities need solutions that reduce the time and cost of compliance, which is where Own can help.
Learn more or book a meeting with our team below.