NYDFS Strengthens MFA Requirement: What You Need to Know

As the de facto finance capital of the United States, New York has some of the toughest cybersecurity regulations in the country. These got even stricter with the industry letter issued last month by the state Department of Financial Services (NYDFS), which emphasizes strong, across-the-board multi-factor authentication. Among other guidance, the letter specifically calls out protection for remote access and authentication methods that resist phishing and other attacks.

What Is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of legal obligations for certain companies operating in New York and has been fully in force since early 2019.

The legislation is designed to counter the large-scale increase in cyberthreats to financial firms that conduct business in New York and protect customers and their data from cybercriminals. Cyberattacks that focus on stealing customer data continue to grow in frequency and scope, especially with the move to remote working during the COVID-19 crisis. These attacks are heightened by inadequate data protection protocols, with lack of effective multi-factor authentication (MFA) the most frequently exploited cybersecurity gap. According to the NYDFS’ figures from January 2020 to July 2021:

• 18.3 million customers were affected by cyberattacks reported to the NYDFS
• 64% of the companies reporting attacks had gaps in their MFA
• 23% of small businesses suffered cyberattacks
• 82% of these small businesses had not properly implemented MFA

Non-compliance with the legislation has already resulted in multimillion dollar fines for businesses, as we discussed with legal expert Rafi Azim-Khan. Not only are non-compliant firms materially affected through direct government fines and penalties, they can incur significant costs in terms of expedited remedial security work. On top of that, revenue may be impacted through non-eligibility for tenders and loss of consumer trust.

Who Does the NYDFS Cybersecurity Regulation Affect?

As stated in the NYDFS Cybersecurity Regulation, covered entities are “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

Some examples of these are:

• Investment firms
• State-chartered banks and private bankers
• Holding companies
• Mortgage brokers
• Charitable foundations
• Foreign banks licensed to operate in New York
• Purchasing groups
• Internationally active insurance companies
• New York state-registered corporations
• Service contract providers

There are certain exemptions for smaller firms with fewer than 10 employees and under $5 million in gross revenue from New York business operations. Apart from those exempt entities, even firms registered outside New York that sell financial services to residents of New York must comply with the legislation and the NYDFS multi-factor authentication requirement. 

What Are the Terms of the NYDFS Cybersecurity Regulation?

As the NYDFS Cybersecurity Regulation mainly focuses on the activities and services of firms in the financial industry, it is not as broad as other data protection regulations. However, in several respects, it calls for stricter procedures. Here are some of the main features of the regulation:

• Regulated entities must have a risk-assessed cybersecurity program to protect the confidentiality and integrity of their information systems.
• Companies must implement a cybersecurity policy covering data governance, access controls, and customer data privacy, among other features.
• Firms must have a designated chief information security officer (CISO).
• The data to be protected is virtually all nonpublic information, that is all electronic information that is not publicly available, could be used to identify someone or has been derived from a healthcare provider.
• User access privileges to nonpublic information must be limited.
• Effective controls, including multi-factor authentication (MFA), should protect nonpublic information. This measure becomes an obligation when the network is being accessed externally.
• Notices of cybersecurity events must be made to the NYDFS superintendent within 72 hours.

There are also several other features of the legislation that focus on application security, risk assessment and incident response. Finally, it should be noted that there was no specific directive on the size of violation fines at the regulation’s release; however, subsequent punishments have set a precedent for other firms in terms of the scale of potential financial penalties for non-compliance.

NYDFS Cybersecurity Regulation and Multi-Factor Authentication

In December 2021, the NYDFS released an industry letter specifically related to Section 500.12 of the NYDFS Cybersecurity Regulation regarding multi-factor authentication. They were concerned that not enough emphasis had been given in the original document around one of the most important aspects of the regulation. Too many cyber incidents are occurring where covered entities are in violation of rules on MFA implementation, which the NYDFS regards as “an essential part of cybersecurity hygiene.”

However, not all MFA implementations are equal, and many cyber incidents occur through improper or easily circumvented multi-factor authentication. Indicatively, the NYDFS lists some of the most common issues that prevent effective MFA implementation.

• Issues with legacy system authentication: Many older applications and systems, especially Microsoft Outlook, still rely on basic (that is, username and password) authentication. This can create issues, even after upgrades, if these legacy systems are not properly deactivated and decoupled from their networks.
• Remote access: As more people choose to work from home, remote access has become the norm. Unfortunately, security was made secondary to expediency, meaning many applications could still be accessed without MFA.
• Lack of third-party MFA: Many companies allow third parties such as partners and contractors to access nonpublic information without requiring them to authenticate through MFA. This is in direct violation of the NYDFS multi-factor authentication requirement. 
• Exceptions: Some users may push back against traditional MFA implementation due to its complexity and the extra time it takes for authentication. When exceptions are made for these users, it creates a network of backdoors for attackers and makes these users more susceptible to attack. 
• Privileged accounts: As the NYDFS notes, “In every case where cybercriminals escalated privileges during a reported Cybersecurity Event, the privileged account lacked MFA.” Privileged accounts should be the highest priority for strong authentication measures, specifically MFA.
• Weak multi-factor authentication: Many types of MFA, such as SMS one-time passwords (OTPs) and push notifications, are already easy to circumvent by attackers. Those looking to comply with the NYDFS Cybersecurity Regulation must consider this in their risk-based assessments.

How to Easily Achieve Compliance With the NYDFS Multi-Factor Authentication Requirement

While the original release of the NYDFS Cybersecurity Regulation covered the broad remit of the legislation and the obligation of covered entities more generally, the subsequent release of their guidance document on MFA shows quite clearly the focus is on stronger authentication controls. This is in line with the federal government’s emphasis on strong MFA within a Zero Trust framework in its Executive Order on Cybersecurity. The NYDFS also notes that multi-factor authentication is one of the most cost-effective means for all businesses to greatly improve their cybersecurity. 

Implementing a flexible, easy-to-use and compliant MFA system doesn’t have to be a difficult task. Through passwordless authentication solutions, such as HYPR’s True Passwordless MFA, strong cryptographically-secure employee and customer authentication can be met by transforming an ordinary smartphone into a FIDO token. HYPR’s solution also covers exceptions such as offline authentication, remote access and alternative devices. In addition, it integrates seamlessly with popular SSO providers and involves minimal user friction, which increases adoption, improves productivity and facilitates buy-in from business stakeholders. 

Learn how HYPR’s passwordless MFA solution can help ensure compliance with the NYDFS multi-factor authentication requirement with minimum implementation time and resource costs.