NYCRR (NYDFS) Compliance
Overview
In 2017, New York Department of Financial Services (NYDFS) issued a cybersecurity regulation (23 NYCRR Part 500) that all financial services companies that service New York residents, including those registered outside of New York state, are subjected to.
A critical component of this regulation is the implementation of multi-factor authentication (MFA) or risk-based authentication. In fact, NYDFS issued follow up guidance calling out that “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies. Since the Cybersecurity Regulation went into effect, DFS has scrutinized hundreds of cyber incidents at DFS-licensed organizations (“Covered Entities”), and seen MFA gaps exploited over and over again.”
Beyond Identity helps you meet and exceed the MFA and risk-based authentication requirements as mandated by NYDFS.
Who does NYDFS apply to?
This regulation applies to “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
This means organizations registered outside of New York state that service New York residents must comply with NYDFS requirements.
Some examples of the types of companies that are considered a covered entity under this regulation include but are not limited to:
- BanksTrust companies
- Investment companies
- Mortgage bankers
- Licensed lenders
- Holding companies
- Budget planners
- Health insurers
- Life insurance companies
- Charitable foundations
Exemptions are very limited and covered entities are broad. The only exemptions are for organizations with fewer than 10 employees (including contractors), less than $5M in gross revenue from New York business operations, and less than $10 million in year-end total assets.
What’s the impact of NYDFS?
Fines:
- DFS Investigation Uncovers National Securities Corporation Failed to Implement Multi-Factor Authentication, Falling Victim to Four Cyber Breaches that Exposed its Customers’ Private Data - $3M fine
- First Unum and Paul Revere Life Insurance Failed to Implement Multi-Factor Authentication, Falling Victim to Two Phishing Attacks that Exposed Consumers’ Personal and Private Data - $1.8M fine
Actively reviewing MFA compliance:
- From January 2020 to July 2021, DFS found that more than 18.3 million consumers were impacted by cyber incidents reported to DFS had MFA failures…DFS is also increasing its review of MFA during examinations, with a particular emphasis on probing for the common MFA failures (weak MFA, incomplete rollout, lack of coverage for cloud-based applications, etc.).
Lowered customer satisfaction scores:
- Authentication friction causes the satisfaction scores to decrease and drop-off to competitors.
NYDFS Multi-Factor Authentication, Risk-Based Authentication & Beyond Identity
A key component of NYDFS regulation is the implementation of MFA or risk-based authentication.
Further emphasizing the criticality of MFA, following the release 23 NYCRR Part 500 in 2017, NYDFS issued an industry letter in December 2021 stating that “MFA weaknesses are the most common cybersecurity gap exploited at financial service companies” and provided an overview of common MFA challenges organizations need to overcome.
This table correlates the NYDFS requirements and its subsequent industry letter with Beyond Identity’s capabilities to meet and exceed those requirements.
.png)
.png)
.png)
