Oct 3, 2023
Oct 3, 2023
3 min
One of the significant challenges that companies have faced in complying with 23 NYCRR 500 is their tendency to prioritize traditional Software as a Service (SaaS) solutions while neglecting the critical issue of shadow IT SaaS.
In today's digital age, data breaches and cyberattacks have become a growing concern for businesses of all sizes. With sensitive information at risk, the financial industry has had to step up its game to protect clients' data and maintain trust. One crucial piece of legislation addressing this issue is 23 NYCRR 500, also known as the New York StateDepartment of Financial Services (NYDFS) Cybersecurity Regulation. This comprehensive regulation provides a set of requirements for IT operations in financial institutions that operate in New York. One of the significant challenges that companies have faced in complying with 23 NYCRR 500 is their tendency to prioritize traditional Software as a Service (SaaS) solutions while neglecting the critical issue of shadow IT SaaS. This selective focus has created a vulnerability gap that threatens data security and regulatory compliance. Grip Security's SaaS Security Control Plane emerges as a pivotal solution to this challenge, offering a comprehensive approach to discover, prioritize, and secure Shadow IT SaaS, ensuring a robust compliance posture.
In their efforts to adhere to 23 NYCRR 500, companies have diligently implemented security operations and technologies to address the compliance mandates for core SaaS applications into their cybersecurity and compliance strategies. These applications are known, go through a security review, and access to them is controlled tightly with detailed access logs. However, in the midst of this emphasis on core SaaS applications, the pervasive and elusive problem of shadow IT SaaS often goes ungoverned or underestimated. Shadow IT SaaS refers to unauthorized or unsanctioned SaaS applications that employees or departments use without proper approval or oversight from the organization's IT department. This is a growing trend in companies, and it does not show any signs of slowing down. Rather, employees now expect to be able touse SaaS applications that are not officially sanctioned by their company’s IT group.
23 NYCRR 500 defines the applications covered by the regulation as an information system. Specifically, the regulation defines an information system as, “…a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information….” The regulation does not exempt risk assessments, third-party oversight, or data protection policies for unauthorized or unsanctioned shadow IT SaaS systems. Financial institutions subject to this regulation are expected to address and mitigate the risks associated with Shadow IT SaaS applications to ensure compliance and protect sensitive data. Many financial services companies have not explicitly defined how they plan to accomplish this and mainly focus on known, sanctioned SaaS applications.
While traditional SaaS solutions play a vital role in compliance with 23 NYCRR 500, neglecting shadow IT SaaS because of its challenge scan have serious consequences. Financial institutions must recognize the importance of addressing these applications as an integral part of their cybersecurity and compliance efforts to ensure data security, regulatory compliance, and overall operational integrity. Not doing so means that companies are securing only a small percentage of the total number of SaaS applications being used by employees.
Financial companies subject to the 23 NYCRR 500 regulation must diligently implement measures to protect sensitive data, ensure cybersecurity resilience, and maintain compliance with NYDFS cybersecurity standards for shadow IT SaaS applications. Traditional cybersecurity products, however, were never designed for an IT environment where employees may use hundreds or thousands of different applications across the enterprise. The standard control points of controlling network access, securing the endpoint, or controlling the application are ineffective when the application and dataare beyond the enterprise perimeter and accessible from anywhere on any device.
Without a focus on managing SaaS identity risk, companies face critical issues that may make them non-compliant with the NYDFS regulation. 23 NYCRR 500 mandates that financial institutions establish a comprehensive cybersecurity program that covers shadow IT SaaS and adhere to strict reporting requirements. Neglecting Shadow IT SaaS means non-compliance with these regulations, potentially resulting in penalties and reputational damage. In addition, there are numerous other issues that must be addressed.Some of them are listed below.
- Security Blind Spots: Shadow IT SaaS applications operate outside the traditional IT department's visibility and control. This lack of oversight creates security blind spots, making it challenging to monitor and protect sensitive data effectively.
- Data Exposure: Unauthorized SaaS applications may handlesensitive financial data, customer information, or other critical assets.Neglecting these applications exposes the organization to data breaches and compliance violations.
- Data Governance: Without proper governance of Shadow IT SaaS, data governance practices become fragmented and inconsistent. This canlead to data mishandling, loss of control, and potential legal ramifications.
To address these challenges effectively, companies must broaden their cybersecurity and compliance strategies to include comprehensive measures for identifying, managing, and securing Shadow IT SaaS applications.Every day, new applications are coming online and putting financial services companies at risk. A recent example is the growth of generative AI applications. Some estimate that there are already more than 100 applications available. The first step is to discover the applications being used, and the Grip SaaSSecurity Control Plane (SSCP) offers the industry’s most comprehensive an innovative, identity-based discovery process to detect authentication methods and track usage, providing a streamlined approach to managing shadow IT SaaS identity risks.
23 NYCRR 500, has been a cornerstone for cybersecurity inNew York's financial sector since its introduction in 2017. This groundbreaking regulation seeks to safeguard sensitive financial data and protect against cyber threats. However, it's not just the conventional security concerns that financial institutions must grapple with; they also face the often-overlooked issue of Shadow IT SaaS. SaaS has become a linchpin in modern business operations due to its scalability, cost-effectiveness, and ease of deployment.However, its very ubiquity presents unique challenges when it comes to governance and security.
The Grip SSCP helps companies comply with 23 NYCRR 500, with its ability to discover, prioritize, secure, and orchestrate the security foreshadow IT SaaS. The platform performs an agent-less, identity-based discovery process to detect authentication methods, and track usage from the first observed interaction to the present day—allwith a simple, 10-minute deployment. By dynamically assessing risk to identity assets and pinpointing missing security controls like SSO and MFA, GripSecurity provides a comprehensive approach to managing identity sprawl risks that arise from shadow IT SaaS, ensuring robust compliance with this important regulation.
Request a consultation and receive more information about how you can gain visibility to shadow IT and control access to these apps.
Fill out the form and we’ll send you our Datasheet.
Give us a test drive.
Fill out the form and we’ll get in touch with you.
Fill out the form and watch webinar's video.
