What is NYDFS and what does it have to do with authentication?

The New York State Department of Financial Services (NYDFS) is the regulatory body overseeing New York state’s financial services standards and regulations. In March 2017, the NYDFS Cybersecurity Regulation (23 NYCRR Part 500) went into effect. This regulation requires covered entities to assess their cybersecurity risk profile and take steps to protect customers and the institution.

While the 23 NYCRR Part 500 has many provisions, its primary goal is to protect customer data and prevent financial fraud. As a result, one of the key areas of focus is enforcing the use of strong methods of multi-factor authentication (MFA).

This focus on MFA was underscored in an industry letter released by the NYDFS in December 2021. In the letter, the Department stated that “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies. Since the Cybersecurity Regulation went into effect, DFS has scrutinized hundreds of cyber incidents at DFS-licensed organizations (‘Covered Entities’), and seen MFA gaps exploited over and over again.” and provided an overview of common MFA challenges organizations need to overcome.

The NYDFS has also demonstrated a focus on MFA with its issued fines. In April 2021, the NYDFS assessed a fine of $3 million, its largest to date, on a life insurance and annuities company. The company failed to implement MFA on its email applications until August 2020, over two years after the MFA requirements went into effect. During this two-year window, attackers accessed the company’s email systems multiple times to send phishing emails.

Who the regulation applies to

23 NYCRR Part 500 is intended to protect the personal financial information of New York citizens. This means the regulation applies both to organizations registered within New York and companies registered outside of the state that service New York residents.

23 NYCRR Part 500 applies to a variety of companies. Some of the types of organizations subject to the regulation include—but are not limited to:

• Banks
• Investment companies
• Licensed lenders
• Budget planners
• Life insurance companies
• Trust companies
• Mortgage bankers
• Holding companies
• Health insurers
• Charitable foundations

The list of covered entities under the regulation is broad, and the regulation only lists a few exceptions. These include organizations with fewer than ten employees (including contractors), less than $5M in gross revenue from New York business operations, and less than $10 million in year-end total assets. 

What does secure MFA look like per NYDFS?

According to the NYDFS, MFA should be enabled for all remote access to an organization’s systems, including cloud-based Software as a Service (SaaS) offerings such as O365 and G-Suite. Additionally, all privileged accounts should have MFA enabled, both for internal and external access. In many cases, MFA programs were found to be rolled out too slowly, if implemented at all.

Additionally, while exceptions to corporate MFA policies may be permitted, they should be limited and the decision to use MFA should not be left to the end-user. One of the common errors called out in the NYDFS industry letter is overly permissive and permanent exceptions, such as excepting all C-Suite executives from MFA requirements. Additionally, NYDFS calls out that when MFA adoption is left up to the end-user, they never set it up leading to uneven security coverage across the organization. 

According to the NYDFS, MFA should also be secure and effective. In its industry letter, the NYDFS explicitly called out weak forms of MFA, such as push-based and text-based MFA—which are vulnerable to human error, social engineering, and SIM-swapping attacks. After implementing an MFA system, the NYDFS recommends verifying the system’s effectiveness via penetration tests, audits, and vulnerability scans.

How Beyond Identity helps companies comply with NYDFS

According to the NYDFS, the main problems covered entities face with regard to MFA are that the programs are not implemented, include too many exclusions, and rely on insecure forms of MFA. Often, companies implement push-based or SMS-based MFA, which is not user-friendly and is vulnerable to attack.

Beyond Identity makes it fast and easy for organizations to implement NYDFS-compliant MFA. Some of the key benefits of Beyond Identity include:

• Easy rollout: Beyond Identity has built-in integrations for all major identity protection platforms (IDPs) and IDP as a Service (IDPaaS) offerings. This makes it fast and easy for companies to roll out MFA across their entire infrastructure in days, not weeks.
• User-friendly authentication: Beyond Identity offers passwordless authentication based on biometrics and public key cryptography. This makes it fast and easy for users to authenticate because they only need to tap a fingerprint scanner or look into a camera. There is no code, push notification, or second device required.
• Strong MFA: Beyond Identity MFA relies on strong authentication factors, including biometrics, asymmetric cryptography, and digital certificates linked to trusted devices. These authentication factors are unphishable and resistant to social engineering attacks.
• Centralized management: Beyond Identity centralizes monitoring and management of user authentication. This streamlines the deployment process and makes it easy for administrators to audit authentication events for troubleshooting or compliance reporting.
• Comprehensive MFA coverage: Beyond Identity closes the blind spot over cloud-based services by verifying device trust across all endpoints (managed and unmanaged) and enforcing compliance with your risk-based access policies. Plus, all authentications are multi-factor by default and invisible to the end-user so companies can avoid adoption issues. 

Beyond Identity checks all of the boxes for compliance with NYFDS MFA guidance and provides strong, user-friendly protection of online accounts. Learn more about achieving NYDFS compliance with Beyond Identity by signing up for a free demo today.