Privileged Access Management Overhaul: Met NYDFS Mandates & Minimized Insider Risk for a Global Insurance & Reinsurance Firm

Client: A global insurance and reinsurance firm, publicly listed and regulated under the New York Department of Financial Services (NYDFS) cybersecurity program.

Overview

The organization faced critical Privileged Access Management (PAM) gaps, resulting in missing audit trails, accountability concerns, and system outages. To address these issues and meet NYDFS cybersecurity mandates, the firm launched a structured PAM program with clear goals and a strategic rollout plan.

Challenges

  • Lack of Controls: Admins had direct, unrestricted access to critical enterprise systems.

  • Missing Accountability: No auditable records of who accessed what, when, and why.

  • Operational Risks: Lack of controls led to multiple outages.

  • Compliance Challenges: Failing to meet NYDFS cybersecurity regulatory requirements.

  • Cultural Resistance: Mid-size organizational culture relied on informal trust rather than structured controls.

Solution Approach

To address these challenges, the firm established a Privileged Access Management (PAM) program with the following initiatives:

  1. PAM Program Establishment

    • Defined clear goals and implementation timelines.

    • Ensured alignment with NYDFS cybersecurity regulations.

  2. Vendor Selection & Technology Implementation

    • Conducted an RFP process based on Gartner Magic Quadrant leaders.

    • Selected CyberArk as the PAM solution of choice.

    • Deployed CyberArk across all administrative accounts with role-based segregation.

  3. Access Governance & Automation

    • Integrated CyberArk with ServiceNow to enforce access control policies.

    • Admins could only access assigned assets based on incident tickets or pre-approved maintenance windows.

    • Implemented AI-driven monitoring to detect unusual access patterns, integrating with SIEM for real-time alerts.

  4. Strict Privileged Access Controls

    • Exception Management: Limited access to a maximum of two administrators per asset at any time.

    • Continuous Monitoring: Implemented a process where direct line managers must review and respond to any unusual activity outside of standard incident/change procedures.

  5. SOX Compliance & Regulatory Alignment

    • Enforced PAM controls for all SOX-regulated applications.

    • Ensured privileged access was granted based on business justification and approval workflows.

Outcome & Business Impact

  • Improved Security Posture: Eliminated unauthorized privileged access and reduced risk of internal threats.

  • Enhanced Compliance: Met NYDFS cybersecurity and SOX regulatory requirements.

  • Operational Stability: Prevented unplanned outages caused by uncontrolled access.

  • Increased Accountability: Established full auditability of administrative actions.

  • Risk Reduction: AI-driven anomaly detection minimized insider threat risks.

  • Internal Threat Management: Strengthened control mechanisms to prevent misuse of privileged access and insider risks.

By implementing a structured PAM program, the firm significantly strengthened its security framework, ensured compliance with regulatory requirements, and enhanced operational resilience while minimizing access-related risks.

Have Questions? We’ve Got Answers—Reach Out Today!

Every case study is a testament to what we can achieve together. If you’re facing a challenge or looking to innovate, let’s talk about how we can help.

Contact Us
Scroll to Top