Enhancing Cyber Resilience: A Deep Dive into Commvault Cloud Solutions for the Second Amendment to 23 NYCRR Part 500 Regulation

The New York Department of Financial Services (NYDFS) is proactively responding to escalating cyber threats with the Second Amendment to Chapter 23 of the New York Codes, Rules, and Regulations (23 NYCRR Part 500). This amendment is a strategic move to fortify information and financial systems against the increasing prevalence and sophistication of cyberattacks. The call for additional controls to manage cyber risks cost-effectively is louder than ever.

As we dissect the intricacies of this regulatory change, it becomes apparent that organizations need more than a mere rulebook; they require a robust solution ready to confront cyber challenges head-on. This is where Commvault® Cloud, powered by Metallic® AI, enters the game to help meet regulatory requirements while elevating cyber resilience. Now is the time for organizations to embrace the future with Commvault Cloud.

Let’s delve into the critical sections of the amendment, exploring how Commvault Cloud innovative solutions align seamlessly with some key requirements.

Cyber Resilience through Intelligent Risk Analysis [Sections 500.9(a), 500.2(c)]

Commvault Cloud’s Risk Analysis solution goes beyond traditional methods. It systematically identifies and categorizes sensitive data across on-premises and cloud locations. By scanning diverse data types, including images, Risk Analysis pinpoints redundant, obsolete, and trivial (ROT) data. It addresses issues related to data sprawl and duplication in addition to facilitating prompt risk assessment based on data sensitivity and impact. File access and privileges related to sensitive data can undergo thorough quick reviews for robust security measures and to intelligently inform the design of your cybersecurity program mandated by the amendment.

AI-Driven Monitoring and Training [Section 500.14(2)]

In addition to the Risk Analysis capabilities, Commvault Cloud introduces Security IQ to furnish a comprehensive security posture dashboard. It provides a dynamic score to aid organizations in identifying and mitigating security risks. Commvault Cloud Threatwise enhances further detection and monitoring capabilities by providing early detection of attempts to infect critical assets with malicious code. If activated, the Network Intelligence sensor actively monitors outbound threats and connections to botnets or malicious URLs and can assist in monitoring suspicious web traffic as required by the amendment as well.

Zero-Trust Access Controls [Section 500.7(a)]

Commvault Cloud goes beyond conventional access controls. It introduces zero-trust controls, including Multi-Factor Authentication (MFA), Multi-Partner Authorization (MPA), Privilege Access Management (PAM), Role-Based Access Control (RBAC) including granular security, and Security Assertion Mark-up Language (SAML). It also provides extensive audit logs when needed. These comprehensive security features finely tune access privileges to align with the highest security standards.

Advanced Encryption for Maximum Security [Section 500.15(a)]

Commvault Cloud meets the best-in-class encryption requirements, aiding the secure transfer of data in-flight via authenticated channels and encrypted data at rest for secured storage. Leveraging FIPS 140-3 (AES 256) and through REST TLS 1.3 authenticated API calls over HTTPS it supports compliance with the industry-standard encryption outlined in the amendment.

Notice of cybersecurity event, Early Warning System, and Cyber Deception Techniques assisting with a cyber incident determination within 72 hours [Section 500.17(a)]

With Commvault Cloud Threatwise, financial entities can receive early warning signals alerts using advanced deception techniques that can identify lateral movements in the network, reconnaissance, or attempts to infect backup workloads and production environments. Additionally, The Anomaly framework can send alerts on unusual file activity, aiding in threat identification within backups. Integrations with SIEM and XSOAR can assist in disabling data aging or users at risk. With Commvault Cloud Threatwise, financial entities can create decoys of servers, endpoints, financial decoys assets such as Swift & ATMs, networking equipment, and more, effectively mimicking financial entity assets. This proactive approach contributes to reducing response times, improving threat intelligence correlations and remediation, thus eventually assisting IRT to shorten the determination time for a cyber incident.

Incident response testing [Section 500.16]

The amendment mandates: “Each covered entity shall periodically, but at a minimum annually, test incident response and BCDR plans ….” Commvault Cloud Backup and Recovery capabilities, along with Commvault Cloud Auto Recovery, Commvault Cloud Air Gap Protect, and CommServe Recovery Validation Service provide a comprehensive and complete timely solution for this requirement. It simplifies the process for organizations to automate clean recovery of the backup infrastructure and application group recoveries, allowing periodic recovery testing in a clean environment in the cloud, which can be used for cyber forensics as well.

You can restore and support BCDR plans as well as test without impacting production environments. Moreover, the amendment requires that “backups shall be adequately protected from unauthorized alterations or destruction.” Commvault Cloud Air Gap Protect, together with the zero-trust architecture, control, data, and storage planes separation, Threatwise, security IQ posture dashboard, the anomaly framework, ThreatScan, and the Cleanroom Recovery solutions, support that.

Conclusion: Preparing for the Future with Commvault Cloud

The clock is ticking. Covered financial entities must prepare for compliance with the Second Amendment to 23 NYCRR Part 500. Commvault Cloud, powered by Metallic AI, is the timely solution to boost covered financial entities, providing the necessary tools to support compliance with the amendment. The time to get ready and prepared is now.

Note: This is Commvault’s perspective. Commvault does not provide legal or compliance guidance.