Beyond the Perimeter: How NYDFS 23 NYCRR 500 Principles Apply to the Expanding API Attack Surface

Highlights:

• NYDFS 23 NYCRR 500 mandates comprehensive cybersecurity for all NY financial IT assets.
• APIs are critical IT assets and fall under the full scope of NYDFS principles.
• Core NYDFS requirements (inventory, risk assessment, access control) directly apply to API assets.
• Salt Security helps apply NYDFS controls effectively to discover, govern, and protect API assets.
• Securing API assets is vital for NYDFS compliance, customer trust, and operational resilience.

For financial institutions in New York, the NYDFS Cybersecurity Regulation (23 NYCRR 500) is a vital mandate that requires a strong and comprehensive cybersecurity framework. This regulation outlines numerous requirements aimed at safeguarding customer data and maintaining the integrity of financial systems. In our current digitally connected environment, Application Programming Interfaces (APIs) serve as the foundation of financial services, enabling everything from mobile banking to intricate data exchanges and third-party integrations. At Salt Security, we assert that APIs are not just a specialized technology but are essential IT assets that need to be managed with the same stringent security measures applied to all other vital elements of your IT infrastructure. 

Recognizing this is a crucial first step for effectively implementing the NYDFS framework. While the regulation delineates broad cybersecurity guidelines, its principles naturally apply to every system and asset that manages sensitive information or performs critical functions; APIs undoubtedly belong in this category. Acknowledging their unique significance, the New York Department of Financial Services has issued specific guidance emphasizing the necessity for “monitoring for anomalies and enforcing multi-factor authentication (MFA) for access” relating to APIs. Additionally, section 23 NYCRR 500.11 clearly mandates that APIs exposed to third parties must be secured and monitored. By treating APIs as essential IT assets, financial institutions can seamlessly weave API security into their comprehensive NYDFS compliance strategy, ensuring that no crucial pathway goes unaddressed.

Integrating API Assets into Your NYDFS Compliance Framework

When APIs are recognized as vital IT assets, the application of NYDFS 23 NYCRR 500 principles becomes clear and logical. Salt Security provides the specialized capabilities to help you manage and secure these unique assets in line with the regulation’s intent:

The journey starts with thoroughly understanding your asset landscape, which is a fundamental principle in sections such as 23 NYCRR 500.02 (Cybersecurity Program) and 500.03 (Cybersecurity Policy). Just like you track servers and databases, your API portfolio, comprising all internal, external, shadow, and even outdated ‘zombie’ APIs, needs to be carefully documented as part of your IT asset management. It’s crucial to identify which APIs handle sensitive Nonpublic Information (NPI) and to map these data flows effectively. Salt Security supports this by providing comprehensive, ongoing API discovery and sensitive data classification, making sure these vital assets are fully visible and accounted for.

Risk Assessment (23 NYCRR 500.09) processes must inherently include these API assets. The regulation requires regular risk assessments of the complete IT environment. APIs, with their direct connections to data and functionality, pose specific risk vectors that necessitate targeted evaluation. Salt Security aids in this essential phase by providing automated API risk assessments designed to uncover authentication weaknesses, identify potential data exposure through APIs, and detect policy violations pertinent to these assets.

The principles of Access Control (23 NYCRR 500.07) are vital for safeguarding all IT assets, including APIs. To prevent unauthorized access to NPI via APIs, it is crucial to enforce least-privilege access, carefully manage API tokens and keys, and robustly monitor for privilege escalation attempts. Additionally, a strong emphasis is placed on MFA for API access. Salt Security strengthens these measures with ongoing monitoring for authentication vulnerabilities, excessive access privileges, and prevalent API vulnerabilities such as Broken Object-Level Authorization (BOLA).

Effective monitoring and threat detection capabilities are crucial for any IT asset, as specified in sections like 23 NYCRR 500.02(b) and 500.03(g). For APIs, this involves actively identifying behavioral anomalies, such as data scraping or irregular call patterns, while ensuring that API abuse detection is context-sensitive. Specific guidance from NYDFS also instructs institutions to watch for anomalies in APIs. Salt Security’s AI-driven behavioral analysis is tailored to safeguard these API assets by identifying and alerting on malicious activities, including emerging threats that traditional tools may overlook.  

In the event of an incident, established Incident Response (23 NYCRR 500.16) protocols need to be ready for all affected IT assets, including APIs. The capability to respond to an API-related breach within the required 72 hours is essential, as is the maintenance of comprehensive Audit Trails (23 NYCRR 500.06). Salt Security meets these needs with automated forensic timelines, detailed incident drill-down options, and detailed API call logging enriched with metadata, supplying vital information for both quick response and thorough audits regarding your API assets.

Finally, securing IT assets throughout their lifecycle, including secure development practices (implied by 23 NYCRR 500.03(c) and 500.03(h)), is essential. This means integrating security scanning and configuration checks throughout the development pipeline for API assets. Salt Security offers shift-left posture analysis, which integrates into developer workflows, helping to ensure that your API assets are built and deployed securely from the start.

APIs as First-Class Citizens in Your Security Strategy. Treating APIs as integral IT assets is key to a resilient cybersecurity strategy and a confident approach to NYDFS 23 NYCRR 500. This perspective ensures that these critical conduits for data and functionality receive the security attention they deserve, safeguarding your institution against financial loss, reputational harm, and operational disruption.

Strengthen Your NYDFS Preparedness with Salt Security Salt Security is dedicated to helping financial institutions protect their critical API assets and meet the rigorous demands of NYDFS 23 NYCRR 500.

• Gain critical visibility into your externally exposed API assets and identify potential vulnerabilities with our Free API Surface Scan.
• Rapidly inventory and understand your API assets across all your cloud environments (AWS, Azure, GCP) with Salt Cloud Connect.

Learn more about these regulations in our concise White Paper and contact Salt Security today to learn how our platform can help you fully integrate your API assets into your NYDFS compliance efforts and build a more secure financial future.

*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Eric Schwake. Read the original post at: https://salt.security/blog/beyond-the-perimeter-how-nydfs-23-nycrr-500-principles-apply-to-the-expanding-api-attack-surface