New York City Department of Financial Services Releases New Guidelines on Multi-Factor Authentication and Cybersecurity Frameworks | Faegre Drinker Biddle & Reath LLP

As cyber attacks continue to plague the financial services industry, the New York Department of Financial Services (NYDFS) recently released new guidelines for regulated entities regarding the use of multi-factor authentication (MFA). and cybersecurity frameworks.

On December 7, 2021, NYDFS released an official industry letter titled Multi-factor authentication advice. According to the Industry Letter, the AMF “is an essential element of cybersecurity hygiene. . . this is why it was one of the few technical controls explicitly required by the “NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (the Cybersecurity Regulation). However, the industry letter goes on to note that “AMF weaknesses are the most common cybersecurity loophole exploited by financial services companies”, most often due to the absence of the AMF, incomplete implementation or incorrect configuration. Specifically, NYDFS noted that, from January 2020 to July 2021, more than 18.3 million consumers were affected by cybersecurity incidents reported to NYDFS that were related to an MFA failure.

The industry letter then highlighted several recurring AMF failures that are linked to an increased risk of being the victim of a cybersecurity incident, including the following:

  • Using legacy or obsolete systems that do not support MFA
  • Failure to require AMF for all applications or systems of a business
  • Failure to require AMF for third parties having access to a company’s applications or systems
  • Slow or incomplete deployments of MFA protocols
  • Allowing many exceptions to MFA protocols

According to the letter from the industry, “Covered Entities That Have Not Filed a Section 500.19 Exemption Notice [of the Cybersecurity Regulation] must use MFA to remotely access all internal networks, including applications and systems, unless their CISOs have approved “the use of reasonably equivalent or more secure access controls.” controls based on a comprehensive risk assessment.

In particular, the industry letter noted that AMF is particularly important for privileged accounts. Since malicious actors often seek to exploit privileged or administrator accounts in their attacks, the failure to implement MFA on these accounts is particularly egregious and dangerous. In addition, companies should carefully consider which form of MFA is appropriate for their risk tolerance. Most commonly used are push-based and token-based MFA configurations. However, push-based configurations are susceptible to human error and, therefore, are easier to exploit for malicious actors. NYDFS also warned regulated entities to “test and validate the effectiveness of the implementation of the AMF”.

Finally, the industry letter recommended that even small businesses exempted from the MFA requirement of the cybersecurity regulation implement the MFA as these companies “increasingly find themselves in the line of business. target of cybercriminals eager to exploit a lack of AMF “and” are aggressively targeted because they “have the information that cybercriminals want and generally lack the security infrastructure of large companies.”

The risk of non-compliance with the MFA requirements of the Cyber ​​Security Regulations is significant, as the NYDFS noted in the industry letter that MFA will be “a target of [NYDFS’s] cybersecurity monitoring and enforcement work. Notably, at least two cybersecurity enforcement actions resolved by the NYDFS over the past year involved companies that “were required to implement the AMF but had not fully implemented and failed to do so. failed to prevent unauthorized access to their non-public information ”. Additionally, the NYDFS noted that it “also increases its review of the AMF during exams, with a particular emphasis on finding common AMF failures.[.]”

The industry letter was followed by an update from December 9, 2021 to NYDFS Cyber ​​Security Online FAQs. Specifically, NYDFS added the following question and answer to the list on its website:

Q: Should covered entities use an e-assessment framework as part of their risk assessment process?

A: The risk assessments required by Sections 500.9 and 500.2 (b) form the foundation of the comprehensive cybersecurity program required by the DFS Cyber ​​Security Regulations, and a cyber assessment framework is a useful part of a comprehensive risk assessment. . DFS does not require a specific standard or framework to be used in the risk assessment process. Rather, we expect covered entities to implement a framework and methodology that best suits their risks and operations. Some of the frameworks widely used by Covered Entities include the FFIEC Cyber ​​Assessment Tool, the CRI Profile, and the NIST Cyber ​​Security Framework.

While stopping to require the use of a specific framework, the new question and answer indicates that NYDFS expects regulated entities to implement and use a framework as part of the comprehensive risk assessments required. under cybersecurity regulations.

Regulated financial services companies should pay close attention to recent NYDFS guidelines on MFA and cybersecurity frameworks. Given the growing number of cyber attacks and NYDFS ‘active enforcement posture, failure to implement AMF and an adequate cybersecurity framework as part of a comprehensive risk assessment would leave a company open to public action and significant financial sanctions. Additionally, the use of both AMF and a cybersecurity framework can reduce risk and mitigate damage from cyber attacks.

Stephen V. Lee