How Duo Enables Compliance and Improves Security for the NYDFS Finance Regulation 23 NYCRR 500
Financial institutions are out of compliance if they missed the March 1, 2019 final deadline for the New York State Department of Financial Services (NYDFS) cybersecurity regulation - 23 NYCRR 500.
23 NYCRR 500 Regulation
To keep pace with advances in technology, the NYDFS has mandated the 23 NYCRR 500 cybersecurity regulation, which is designed to protect customer data and information systems of regulated entities.
The regulation basically requires regulated entities to adopt a cybersecurity program based on the risk assessment of their information systems and meet the minimum standards prescribed by the NYDFS.
The New 23 NYCRR 500 Regulation States:
23 NYCRR 500 Requires Implementation of Multi-Factor Authentication
Who Does 23 NYCRR 500 Affect?
If your firm requires a license from DFS to operate in the state of New York, then most likely you are a “covered entity” and so are your firm’s third-party service providers.
The Costs of Non-Compliance
If you are unsure whether your organization is a “covered entity” — now is the time to act because non-compliance will have monetary and reputational consequences.
DFS’s newly created Consumer Protection and Financial Enforcement Division will enforce this regulation, and could calculate penalties (as per the New York Banking Law) with fines starting at $2,500 each day during which a violation continues — and up to $75,000 per day for knowing and willful violations.
Financial Services - Current State of Affairs
Financial services is one of the most regulated industries with strict standards of compliance. Following the financial crisis in 2007, was the enactment of the Consumer Protection Act (Dodd-Frank) in 2010 to provide more guardrails around financial business practices.
Regulating authorities such as Federal Trade Commision (FTC), Financial Industry Regulatory Authority, Inc. (FINRA), Federal Financial Institutions Examination Council (FFIEC) and the National Association of Insurance Commissioners (NAIC) have placed a strong emphasis on consumer data protection and privacy with cybersecurity programs.
Even with all these regulations, breaches still make the headlines more frequently than we would like — the most recent one being the Capital One data breach where more than 100 million credit card applications were stolen.
The New York State Department of Financial Services (NYDFS) released the following statement regarding cybersecurity on July 30, 2019:
“Today’s news about Capital One is just the most recent breach threatening the financial security and privacy of our consumers. These attacks are occurring with alarming regularity, and we remind all DFS-regulated entities to comply with required updates to their information and technology systems and to meet the standards set by New York’s cybersecurity regulation.”
Cybersecurity for Financial Service Pulse Check
If your organization is compliant, great! However, there is always room for improvement. As you onboard new business applications and move to cloud platforms such as AWS or Microsoft Azure, your incumbent security solution may not scale or meet the new set of challenges. Duo provides the broadest coverage for applications including custom or popular business apps, on-prem or in the cloud. Duo also supports advanced authentication methods whether you want to use push notifications or U2F, or more traditional methods such as hardware tokens.
If your organization is not compliant yet, don’t worry. Duo is one of the easiest solutions to use and can be deployed quickly with little IT overhead. The regulation requirements align closely with ISO 27001 and the NIST Cybersecurity Framework, which can be achieved quickly with Duo.
How Duo’s Solutions Help Fulfill the 23 NYCRR 500 Requirements:
500.02 Cybersecurity Program
(a) The regulation calls for a cybersecurity program that is designed to protect Confidentiality, Integrity and Availability of the information system, sometimes referred to as the CIA or AIC triad. Preventing unauthorized access is a critical component of maintaining confidentiality. Duo’s solution not only prevents unauthorized access but also delivers adaptive authentication to restrict access to network and cloud resources based on contextual information such as location, device hygiene and more. By implementing a cybersecurity program with such robust capabilities, you can reduce your organization’s attack surface.
(b) (2,3,4,6) The Zero Trust framework is emerging as a popular defense mechanism in today’s mobile and cloud landscape. With Duo, one can easily implement principles of zero trust to grant access only to trusted users and devices. Duo's solution records every authentication event and helps to detect compromised credentials. Administrators can also generate granular reports to fulfill regulatory obligations.
500.03 Cybersecurity Policy
(a,c,d,k) Administrators can set access policies at the global level or at a more granular level — user, device or application. They also gain complete visibility into the devices accessing applications in their environment, which in turn provides an inventory of endpoint assets. This level of granular control and visibility provides an added a layer of security. Further, Duo’s versatile MFA solution integrates with virtually any application containing sensitive information. Whether it's protecting customer data stored on internal networks or in cloud applications such Office 365, Duo prevents unauthorized access and minimizes risk of data breach due to compromised credentials.
500.06 Audit Trail
Duo provides detailed logs and visual reports of users, their device states and the access requests. The solution easily integrates with SIEM products such as Splunk for event correlation and further analysis.
500.07 Access Privileges
With Duo Administrators can restrict access to information at the application level with advanced application access policies. You can also synchronize Duo with your user directory to reflect the latest user status and associated device information.
500.12 Multi-Factor Authentication
(a,b) Duo’s industry leading solution is known for ease-of-use for both end-users and administrators, and for security. The solution provides granular access control policies and supports secure authentication methods such as Universal 2nd Factor (U2F), biometrics and push notification. Administrators can implement risk-based authentication policies using contextual factors such as user location, network address ranges, biometrics, device security and more.
500.14 Training and Monitoring
(a) Just by logging into the Duo Admin Panel, administrators get a detailed snapshot of their organization’s activity. Anomalous activities by authorized users can be detected by analysing the authentication log, which records every access event with details such as timestamp, device information, location, IP address and the application used.
Conclusion
In today’s world, data is more valuable than oil. Rightly so, regulatory authorities have started holding organizations across industries accountable for the consumer data they collect. While NYDFS is one of the first to roll out a cybersecurity regulation, it would come as no surprise if other institutions at the state or federal level follow suit.
Therefore, organizations will find it beneficial to stay ahead in the compliance game. Complying with regulatory requirements helps prevent penalties and fines due to willful violations. More importantly, compliance minimizes risk of a breach. Many organizations choose Duo because of the ease with which they can achieve compliance and improve security posture.
Customer Story
Read how Duo helped Citizens Union Bank (CUB) comply with various regulations.
Sign-up for a free trial to experience the product and see how Duo can satisfy some of the requirements outlined by the New York State Department of Financial Services (NYDFS) 23 NYCRR 500 regulation.