PCI-DSS auditors don't wait. Your tenant doesn't have to.
GLBA, PCI-DSS, SOC 2, NY DFS 23 NYCRR 500 — all mapped. Free 14-day trial.
Why This Matters for Financial Services
Every regulator in your stack is looking at how you secure your Microsoft 365 environment. Most findings are preventable misconfigurations.
Regulators Are Auditing M365 Directly
NY DFS 23 NYCRR 500 requires covered entities to certify annually that their cybersecurity program meets specific technical requirements — including MFA for all privileged accounts, encryption of nonpublic information in transit and at rest, and audit trail maintenance for at least six years. FFIEC examiners increasingly request screenshots and configuration exports from M365 as primary audit evidence. A misconfigured conditional access policy or disabled audit log is no longer just an IT issue — it is an examiner finding.
PCI-DSS Scope Extends Into M365
If cardholder data flows through email, Teams, or SharePoint — or if M365 user accounts have access to systems that process cardholder data — then M365 is in scope for PCI-DSS. Requirement 8 mandates MFA for all non-console administrative access. Requirement 10 mandates audit log collection and review. Requirement 7 demands least-privilege access controls. Most financial institutions have not formally evaluated how their M365 configuration maps to these requirements, creating a hidden compliance gap that QSAs now probe explicitly.
Cyber Insurance Underwriters Have Changed
Financial services organizations saw average premium increases of 60-100% over 2021-2023 as underwriters hardened their M365 security requirements. Underwriters now ask specific questions about MFA coverage, conditional access policies, privileged identity management, and email security configurations. Organizations that can demonstrate current, documented compliance posture — not just a policy binder — negotiate measurably better coverage terms. Our assessment generates the technical evidence underwriters and brokers actually want to see.
What We Audit
Thousands of checks mapped to the specific controls that financial regulators and auditors evaluate.
Identity & Access Controls
MFA enforcement for all users and admins, least-privilege role assignments, privileged identity management activation policies, guest account governance, and service account exposure — mapped to NY DFS Section 500.12 and PCI-DSS Requirement 8.
Email & Data Loss Prevention
DLP policies covering nonpublic customer financial information, external forwarding rule detection, anti-phishing and anti-spoofing configurations, and DMARC enforcement — directly relevant to GLBA Safeguards Rule technical requirements.
Audit Logging & Retention
Unified Audit Log coverage, retention periods against NY DFS 6-year requirement and PCI-DSS 12-month minimum, Azure Monitor integration, and Defender for Office 365 alert policy completeness for incident reconstruction.
Conditional Access & Zero Trust
Named location policies, device compliance requirements, risk-based sign-in controls, legacy authentication blocking, and session control policies — the foundation of any FFIEC-aligned access management program.
Data Encryption & Protection
Sensitivity label deployment across SharePoint and Teams, encryption in transit enforcement, Azure Key Vault access policies, and customer-managed encryption key configurations for data at rest — covering PCI-DSS Requirement 3 and 4 where applicable.
Third-Party App & Integration Risk
OAuth app consent governance, third-party integrations with access to sensitive financial data, SharePoint external sharing policies, and Teams external access controls — a growing focus area in NY DFS third-party service provider requirements.
Compliance Coverage
Every finding is tagged to the specific regulation section it addresses. One assessment, every regulator covered.
PCI-DSS v4.0
We map your M365 and Azure configuration to PCI-DSS Requirements 7, 8, 10, and 12 — the requirements most directly implicated by M365 configuration gaps. Findings include the specific PCI-DSS control number and testing procedure.
SOC 2 Type II
We map your M365 configuration to the Trust Services Criteria — Security, Availability, Confidentiality, and Privacy — generating evidence you can hand directly to your auditor for the CC6 and CC7 control families.
NY DFS 23 NYCRR 500
We map your environment to NY DFS Sections 500.06 (Audit Trail), 500.07 (Access Privileges), 500.12 (MFA), and 500.14 (Training & Monitoring) — covering the technical controls most frequently cited in NY DFS enforcement actions.
GLBA Safeguards Rule
We map your M365 configuration to the FTC Safeguards Rule requirements for access controls, encryption, multi-factor authentication, and monitoring — the technical standards that apply to financial institutions under GLBA.
FFIEC Cybersecurity Assessment
We map your configuration to the FFIEC Cybersecurity Assessment Tool domains — Cyber Risk Management, Threat Intelligence, Cybersecurity Controls, and External Dependency Management — as they apply to your M365 environment.
NIST 800-53 & CIS M365
Additional mappings to NIST SP 800-53 and the CIS Microsoft 365 Benchmark — the frameworks most commonly referenced in cyber insurance applications and vendor assessment questionnaires from major financial institutions.
Financial Services Risk Spotlight
The M365 and Azure findings that carry the highest regulatory and business risk for financial institutions.
Admin Accounts Without MFA
Global Administrator and privileged role accounts that bypass multi-factor authentication — the single highest-risk finding in financial services tenants and a mandatory remediation item under NY DFS Section 500.12 and PCI-DSS Requirement 8.4.
Sensitive Data in SharePoint Without DLP
Customer account data, loan documents, and NPI stored in SharePoint sites with no Data Loss Prevention policies and external sharing enabled — a direct GLBA Safeguards Rule exposure and a common finding in financial services assessments.
Audit Logs Shorter Than Regulatory Minimums
NY DFS requires six years of audit trail retention. PCI-DSS requires 12 months online with 12 months archived. Default M365 audit retention is 90 days. The gap is consistently one of the most common NY DFS examination findings for covered entities.
Unconstrained OAuth App Consent
User-level OAuth consent enabled, allowing any employee to grant third-party apps access to financial data stored in M365 — a direct NY DFS third-party service provider risk and a common vector for data exfiltration that bypasses traditional security controls.
Business Email Compromise Exposure
Missing anti-spoofing policies, DMARC not in enforcement mode, and impersonation protection gaps that leave financial staff vulnerable to BEC attacks — the highest-dollar fraud vector targeting financial institutions, with average losses exceeding $100K per incident.
Legacy Authentication Still Active
Exchange Online and other services still accepting legacy authentication protocols that cannot enforce MFA — a requirement to block under both NY DFS and PCI-DSS, and one of the top initial access techniques used in financially motivated intrusions.
"Our QSA told us our M365 environment was the weakest link in our PCI-DSS posture. Within a week of the assessment, we had a prioritized remediation list with the exact PCI-DSS requirement numbers attached to every finding. We closed 23 gaps before our formal QSA engagement. That saved us weeks of back-and-forth."
Evidence-ready compliance. In under 10 minutes.
Start with a free Community Scan. See real findings mapped to the regulations your examiners, auditors, and underwriters actually evaluate.
Read-only access — no changes to your tenant — exportable evidence packages included.