The New York Department of Financial Services (NYDFS) continues to refine its position regarding the importance of and requirements regarding Multi-Factor Authentication (MFA), as evidenced most recently with the release of new guidance. This new guidance is consistent with its June guidance, in which NYDFS clarified its expectation that NYDFS-regulated covered entities subject to 500.12 implement MFA for any individual accessing the covered entity’s internal networks, externally exposed enterprise applications, and third-party applications from an external network.
The June guidance was released when the rate of ransomware attacks was rapidly increasing and reflected NYDFS concerns regarding ransomware’s potential to destabilize the financial system. Now, NYDFS has identified the lack of MFA as a specific and significant weakness of financial organizations and further clarifies its explicit requirement for this “essential control.”
NYDFS is using all tools at its disposal to address gaps in MFA coverage at covered entities, including through guidance, examinations, and enforcement. Since the Cybersecurity Regulation went into effect in 2017, according to NYDFS, MFA weaknesses have been “the most common cybersecurity gap exploited” at financial services companies. From January 2020 to July 2021, NYDFS found that more than 18.3 million consumers were impacted by cyber incidents reported to the Department in which Covered Entities experienced MFA failures. While MFA–or reasonably equivalent or more secure compensating controls–have been consistently required by NYDFS since the inception of 23 NYCRR 500, in the last year the Department resolved two enforcement actions against companies that were required to implement MFA but had not done so. The Department has also announced that it is increasing its review of MFA during the examinations cycle. NYDFS’ focus in the examinations context will be on the common weaknesses described below, but the Department will also want to know whether Covered Entities have MFA for privileged accounts, use token-based or push-based MFA (with a stated preference for token-based), and have a process for regular testing and validation of MFA. Based on past guidance, enforcement actions, and the anticipated scrutiny during the examinations process, NYDFS appears to have laid the groundwork for additional enforcement actions in the future.
Common Weaknesses in Use of MFA
NYDFS notes the following as the most common weaknesses in MFA that are violations of the Section 500.12 requirement:
- Legacy systems that do not support MFA: When outdated applications and systems do not support MFA, a Covered Entity can find itself in violation of the MFA requirement. It is important to keep an inventory of IT assets and ensure that they are either protected by MFA or decommissioned if no longer in use. Exploitation of a lack of MFA is most often seen in Microsoft email services and entities should elect modern authentication over basic authentication when using Microsoft’s email services.
- MFA for remote access fails to cover all applications: Even when a Covered Entity has MFA for remote access, there may be applications such as email that can be accessed without VPN or other remote access tools. MFA must be in place for all systems, including those that can by accessed without a VPN.
- Lack of MFA for third parties with access to an internal network: Covered Entities must require MFA or the use of a reasonably equivalent control for all third parties (including independent insurance agents) accessing information systems with nonpublic information.
- Incomplete or slow MFA rollouts: When an MFA setup or rollout is incomplete or slow, gaps may be left in the MFA coverage. Additionally, Covered Entities should avoid MFA “self-setup” and designate one or more individuals to oversee the granting of remote access permission and configuration.
- Poor exceptions management: Covered Entities should establish a clear policy on MFA exceptions and have a plan for strict enforcement of that policy. Exceptions should be granted sparingly and should be regularly reviewed to ensure they do not last longer than necessary.
Although NYDFS took pains to recognize the difficulties cybersecurity can present for small businesses in the guidance, it nevertheless has held fast to its position regarding the importance of MFA implementation, in part due to the ongoing threat landscape. As cited by NYDFS, the U.S. Small Business Administration noted that small businesses are being aggressively targeted for their valuable information and lack of security infrastructure. To assist small and medium sized businesses with cybersecurity controls, NYDFS has partnered with the Global Cyber Alliance (GCA) to promote GCA’s Cybersecurity Toolkit for Small Business which includes step-by-step instructions for implementing MFA in applications often used by small businesses.