In our recent blog post, “Seven SaaS Risks Impacting NY-DFS Requirements,” we explored the critical SaaS risks that financial organizations face today and the evolving role of the New York Department of Financial Services (NY-DFS) in mitigating these challenges. As a key regulatory body, the NY-DFS is increasingly focused on safeguarding the financial sector from emerging threats, including those related to SaaS usage.
To further explore this topic, we highlighted insights from Harriet Pearson, the Executive Deputy Superintendent and Cybersecurity Division Head at NY-DFS. Pearson elaborated on the rising threat of supply chain attacks, which often propagate through app-to-app connectivity, significantly increasing the risk landscape for financial institutions. In response to these growing risks, NY-DFS has intensified its regulatory oversight, requiring all financial entities operating in New York—whether banks, insurers, or fintech firms, and irrespective of their headquarters—to comply with new state laws. This comprehensive approach is crucial for protecting consumers and maintaining financial stability across the state.
As most CISOs and security teams are already working to comply with these regulations, this article will focus on how to:
1. Enhance your organization’s SaaS security with always-on automation.
2. Save resources and time across security processes.
3. Meet the demanding NY-DFS requirement to report supply chain incidents within 72 hours.
4. Provide easy documentation for compliance checks.
All with typically less than 2 hours of work per week.
NY-DFS Requirements and their Implementation with Wing Security
**Table 1** outlines the key NY-DFS requirements listed in Chapter 500, and in the NY-DFS checklist
Wing Security Solution: Security Steps to Fly Through Regulation
Wing offers an easy-to-use, agentless SaaS Security Posture Management (SSPM) solution that automates the entire lifecycle of SaaS security. From discovery to supply chain breach and attack surface management, Wing makes deployment straightforward and simple, even for the most overloaded security teams.
Benefits of Wing Security Solution
- Total Discovery: Identify applications and shadow AI training on NPI.
- TPRM: Conduct basic Third-Party Risk Management (TPRM) across 300,000 SaaS applications.
- Policy Enforcement: Educate and enforce cybersecurity policies with end users.
- Access Reviews: Leverage automation to speed up and ease regular access reviews across hundreds of applications.
- Attack Surface Reduction: Constantly reduce the attack surface by removing unused files shared via SaaS.
- Real-Time Reporting: Receive immediate reports of breach events from any SaaS supplier.
Steps for Security
Detailed Steps
Step 1: Constant Discovery of SaaS Supply Chain
Wing leads in the discovery of SaaS applications, whether sanctioned or not. To identify application interconnectivity and access from managed devices, Wing’s agentless approach can use a combination of these 3 methods: API-based discovery, mail services monitoring (using metadata and digital signature from 300,000 SaaS services), and integration with existing MDM and XDR systems.
Step 2: Conduct Risk Assessment and Ensure NPI is Handled by Third-Party AI
Wing maintains a comprehensive SaaS reputation database with over 300,000 applications, tracking usage, security, privacy compliance, and breach history. This provides a quick risk score and visibility into whether applications are training on company NPI, and whether apps are enabling opt-out from these training practices.
Step 3: Share Risk, Set Policies, and Automatically Educate and Enforce SaaS Vendor Management
In these steps, the security team will automatically delegate and collaborate to set and enforce business risk-reward decisions related to SaaS applications. The security team can approve apps for organizational use. Alternatively, Wing will interact with users to request business justification, significantly reducing the workload for CISOs. For applications not approved for organizational use, Wing will not simply block or disconnect them, as this often leads users to find alternative ways to access forbidden apps. Instead, Wing will communicate with users to request app removal, track usage, alert management of misbehavior, and eventually request admin intervention or automatically remove the application’s access. Managing the lifecycle with transparent communication with end users ensures the highest level of security and compliance in the organization. Wing will also be able to send custom notes for users onboarding new applications, including company policies and training (coming soon).
Step 4: Configuration and MFA Enforcement
Wing guides customers through critical SaaS platform configurations, ensuring MFA use in work environments and identifying systems.
Step 5: Conduct User Access Reviews
Wing enables in-depth user access reviews for hundreds of applications, providing detailed views of users, their roles, and generating evidence for compliance requirements like SOC2, ISO, and NY-DFS.
Step 6: Minimize Unneeded Attack Surface and Remove Unneeded Data Shares
Minimizing the attack surface without impacting business operations is not only a best security practice but also aligns with NY-DFS compliance. Wing collaborates with organizations to automatically remove unused applications, tokens, and unsafe data shares via SaaS, and other posture management attack surface reduction activities ensuring both efficiency and security.
Step 7: Instant Reporting and Response to Supply Chain Breach Events
Wing’s algorithms, Incident Response and intelligence teams constantly scan the SaaS domain, alerting customers to breaches and security events affecting their supply chain as they occur. Wing’s experts ensure that customers receive timely notifications, enabling CISOs to minimize the risk and fulfill their responsibility of reporting events within 72 hours. Additionally, Wing scans for risky insider behavior and leaked credentials, further enhancing security.
Talk to Wing’s SaaS experts, or start for free.
