While some CISOs are aware that the New York Department of Financial Services (NY-DFS) has recently tightened compliance requirements for financial firm “covered entities” to mitigate cyber-attack risks, lesser known are the implications and actions required for Software-as-a-Service (SaaS) environments.
Financial firms, often reliant on numerous third-party applications, find their SaaS supply chains frequently targeted, and are regularly plagued by ransomware attacks. With over 300,000 SaaS services and an average employee using 29 different applications, maintaining NY-DFS compliance for these covered entities is challenging, especially concerning third-party risk management. CISOs must understand all supply chain components, monitor risk posture changes, and report security incidents within the SaaS supply chain to NY-DFS within 72 hours. This ensures financial institutions stay vigilant and responsive to security threats.
Based on Wing data and customer feedback, below are seven types of risks faced by financial firms and how they correlate to requirements for NY-DFS compliance.
- Time-sensitive SaaS Supply Chain security events
NY-DFS mandates that all covered entities report cybersecurity events within 72 hours, whether occurring within the organization or a third-party service provider.
Since SaaS is interconnected by nature, a vulnerability in one can compromise the entire supply chain, affecting multiple services and lead to non-compliance. Wing’s SaaS Security report found that 96% of organizations used at least one breached application in the last year. A SaaS supplier breach can cause data loss, create phishing backdoors, or lead to credential theft, compromising other critical services. With the new 72-hour reporting deadlines, security teams face increased pressure to become more agile. Compliance with NY-DFS and regulations like DORA is now non-negotiable, making timely breach reporting critical.
- Shadow IT Impacts Inventorying SaaS Supply Chains
NY-DFS requires inventory and risk assessments for all information systems.
The unsupervised use of SaaS by employees, known as shadow IT, complicates security management. Lack of visibility can lead to data leaks and non-compliance. It is also a source of credential theft associated with organizational accounts. CISOs need complete visibility into their SaaS supply chain to assess the business risk-reward of each service.
- Insider Threats Impact SaaS Access Policies
NY-DFS mandates that CISOs implement and enforce cybersecurity policies for all third-party service providers.
Employees with access to sensitive data can cause breaches, intentionally or unintentionally. SaaS platforms can exacerbate this risk, making it essential to monitor and control internal activities. CISOs are expected to set, communicate, and enforce these policies within the organization. Usage of automatic SaaS security enforcement is recommended.
- MFA Issues Impact Verification credential staffing attack risks
NY-DFS requires verification of MFA usage and proper configuration across key information systems.
While MFA is crucial, improper implementation can leave applications vulnerable. Sophisticated attacks and MFA fatigue pose significant risks. Rapid verification of configurations at the employee level is advised to prevent exploitation.
- AI Integration Impacts Data and NPI Protection
NY-DFS calls for assessing third-party data protection practices to prevent exposure of non-public information (NPI)and advises the organization to include AI diligence in the risk assessment process.
The recent rapid integration of AI into SaaS has introduced significant new risks. Over 7,000 apps have AI capabilities, and many have changed their terms to allow training models on shared NPI. This issue, known as “Shadow-AI,” conflicts with the CISO’s responsibility to prevent unauthorized data access and usage.
- Access Management Impacts Saas Privileges
NY-DFS requires enhanced user access controls and periodic reviews to remove unnecessary access.
When broad access privileges are allowed, data can be excessively exposed. Limiting user access privileges is advised to manage and reduce the potential attack surface of SaaS. Access can be allowed mainly to information systems that house nonpublic information and limited only to those functions necessary to perform the user’s job, only when performing functions requiring such access.
- File Sharing Risks Impacts NPI Protection
NY-DFS explicitly requires proper handling of non-public information, including data shared through SaaS.
The ease of file sharing through SaaS can lead to accidental data exposure. Wing’s research found 73% of organizations share sensitive files, and 85% of these shares were unused for over six months. Ensuring compliance with file-sharing protocols is crucial.
Mitigating SaaS Threats and Ensuring Compliance – The Role of SSPM Solutions
Managing SaaS third-party risks can be resource-intensive. The need to comply with on-time reporting of supply chain security incidents adds even more urgency into the constant management of SaaS security. By leveraging SaaS Security Posture Management Solutions (SSPM) like Wing Security, organizations can efficiently meet compliance requirements, avoiding risks and penalties. This is particularly important in highly regulated industries where compliance protects the organization’s reputation and trustworthiness. SSPM solutions like Wing provide complete visibility into the SaaS stack, enabling proactive detection and mitigation of vulnerabilities.
Automating remediation workflows saves time, streamlining responses to security incidents and ensuring regulatory compliance. SSPM solutions also simplify audit preparations with detailed logs and reports, making it easier to meet regulatory requirements.
In our next blog, Wing’s SaaS Security Checklist for NY-DFS, we will review the requirements of tools that automate and streamline SaaS security implied by NY-DFS.
