Salesforce and the NYCRR 500: What You Need to Know About Staying Compliant
New York State ranks third in the nation over six years for ransomware and data breaches, with 775 million lost in 2022 alone. It’s no surprise then that they have one of the most sweeping pieces of legislation of any national cybersecurity regulation out there: The 23 NYCRR Part 500. The CRR 500 covers everything from how to set up a cybersecurity program and an incident response plan to how you’ll keep applications secure and test for vulnerabilities.
If you use Salesforce, and you’re a financial services organization that the CRR 500 considers a covered entity, this article is for you. We dug deep into the law so that we could provide you with an easy-to-digest version of the requirements, along with relevant actions you can take to keep Salesforce secure.
Our conclusion: While the law is extensive and specific, remaining compliant is possible. Some of our findings are in this post, but to read them all, check out the full whitepaper here.
What is the NYCRR 500 and who does it apply to?
The New York Department of Financial Services (NYDFS) enacted the CRR 500 in March 2017, making a significant amendment in November 2023. The law lays out requirements for cybersecurity practices that “covered entities” must follow or risk disciplinary action by the NYDFS superintendent.
The law goes into detail on who is covered, who isn’t, and those who are exempt from some parts and not others, but it gets gnarly. To help you determine where your organization stands, we’ve simplified the notes with a flow chart which you can access in our whitepaper: Salesforce and the NYCRR 500: Compliance and Cybersecurity for Covered Entities
Generally, covered entities include banks and financial institutions, insurance companies, money services businesses, mortgage brokers and lenders, and virtual currency businesses. But you should consult with legal or compliance professionals to determine your specific status and obligations under NYDFS cybersecurity requirements.
If it’s possible you’re a covered entity, and you haven’t started looking into compliance, it’s a good time to start—most of the requirements are already required.
Warning: Salesforce could be an island.
In our experience, we’ve noticed that some organizations leave Salesforce as an island, separated from the safety of the mainland and prey to pirates. It sounds dramatic, but when it comes to cybersecurity, an unprotected or poorly configured Salesforce implementation can be a material threat to the entire organization’s security.
Your organization may have a cybersecurity program and policies, but if there’s a gap between the approved policy and your Salesforce implementation, you’re vulnerable. For your security and to gain compliance with the NYCRR 500 and other cyber regulations, your cybersecurity policies have to exist, be reviewed and approved, and become the basis for technical and practice decision making within your Salesforce organization. Learn why else Salesforce needs to be part of your security program.
If you work with Red Argyle, our team can evaluate your cybersecurity policy (or create one if it doesn’t exist), assess Salesforce against the policy to identify compliance issues, and help you bring Salesforce into alignment with policy requirements.
A summary of the NYCRR 500 requirements.
The CRR 500 begins by requiring covered entities to have a cybersecurity program that’s supported by over 15 specific cybersecurity policies. They must have appropriate governance (i.e. a chief information security officer) to own the program, along with a senior governing body.
To give you a taste of the extensiveness of the CRR 500, here’s what you may need to do to ensure Salesforce is compliant with just these two sections:
- Develop a Salesforce cybersecurity program that aligns with your organization’s program.
- Assess whether Salesforce is in alignment with 15+ cybersecurity policies and if not, bring it into alignment.
- Validate that Salesforce is included in relevant policies, procedures, and risk analysis.
You can find the rest of our recommended Salesforce security actions in the whitepaper.
Continuing on, the CRR 500 outlines what’s required in the cybersecurity program, starting with penetration testing and vulnerability assessments. Covered entities also need to leave an audit trail, apply right of least access everywhere, have procedures for secure application development and testing of external applications, and annual (at least) risk assessments.
In addition, covered entities need to have a robust policy for managing third party providers and their access. Any individual accessing information systems, like Salesforce, must use multi-factor authentication. The cybersecurity program has to have qualified staff, third party, or affiliate to manage the program.
The CRR 500 requires that covered entities have policies and procedures to track assets and plan for data retention. They must also have abilities to monitor all activity, train employees on cybersecurity, and implement risk-based controls. They must protect nonpublic information with encryption.
To prepare for any incidents, covered entities must have an incident response plan and a business continuity management plan, and the plan must include providing prompt notice to the NYDFS superintendent.
The regulation closes out with explanations about confidentiality, exemptions, enforcement, effective dates, and transitional periods.
What this means for you
Each of these requirements above apply not only to your overarching organization, but also to information systems in the organization, which includes Salesforce.
Keep in mind, this is just a quick overview—there are more details to the regulation than we can provide here. Check out our whitepaper to get a summary of 20+ sections of the CRR and our suggestions for getting Salesforce into compliance.
The 5 takeaways that Salesforce leaders must know.
Salesforce leaders at covered entities should take action to ensure that Salesforce won’t be the cause of a breach. Here are five facts you can take away to make a case for stronger Salesforce security:
- The NYCRR 500 contains some of the most specific and sweeping requirements of any national cybersecurity regulation so far.
- Determining if you’re a covered entity can be complex (some are subject to some parts but not others). Some covered entities are even Class A companies and are subject to more requirements. Review our flowchart to find out more.
- If you’re a covered entity using Salesforce, the NYCRR 500 regulations include Salesforce. Salesforce is a critical piece of IT infrastructure and should be considered material to any organization’s cybersecurity program.
- The first enforcement action was concluded in February of 2023, resulting in a multimillion dollar settlement with the NYDFS. They will continue to pursue enforcement as their resources increase.
- Many of the requirements in the CRR 500 are already required. Covered entities should take immediate action to maintain compliance.
And one final fact: If you need a partner along this journey, don’t hesitate to reach out to Red Argyle. Salesforce security is right in our wheelhouse, and we can help you strengthen your program across every compliance area.