How Duo Helps You Comply With the NYDFS Cybersecurity Regulation
Financial services firms fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries. Forbes puts that at over 30 attacks per second. In response to the high volume of attacks and costly impact of breaches against financial services organizations and to attempt to protect the financial services industry and its consumers, the New York Department of Financial Services (NYDFS) proposed NYDFS Cybersecurity Regulation, 23 NYCRR 500 (PDF).
Who Is Impacted by the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to the over 3,000 financial institutions that operate under NYDFS licensure and to third-party service providers including:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks authorized to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are a few exemptions for who must comply with NYDFS, such as:
- Companies with fewer than 10 people
- A company with less than $5 million in gross annual revenue from New York State
- A company and its affiliates with less than $10 million in end-of-year assets
- A licensed captive insurer that does not, or is not required to control, access, receive or store non-public information beyond the information related to its corporate affiliates
- Charitable organizations
- Foreign risk groups operating in New York
The cybersecurity framework was introduced in 2016 with a four-phase rollout plan. Phase one was about implementing the basics and went into effect on Feb. 15, 2018. Covered entities were required to design a cybersecurity policy, designate a chief information security officer (CISO), and establish an incident response plan with breach notifications within 72 hours.
Phase two brought more security transparency to the industry and went into effect on March 1, 2018. It made organizations responsible for preparing annual reports on its information security policies and procedures, cyber risks, and the effectiveness of its cybersecurity programs. Covered entities were also required to design and implement a cybersecurity program to continually test their security resilience, as well as to implement multi-factor authentication (MFA).
Phase three, effective Sept. 3, 2018, called for covered entities to have a cybersecurity program in place showing the five-year audit trail highlighting the detection of and response to events; written guidelines and standards to secure in-house applications and the testing of external applications; a data retention policy for the disposal of non-public personal information; and the implementation of security controls, such as encryption of non-public business relations and personal information.
The fourth and final stage goes into effect March 1, 2019 and focuses on the security of third-party service providers covered by financial institutions.
How Duo Helps Organizations Comply With NYDFS
In phase two, the regulations mandate that MFA shall be used “for any individual accessing the Covered Entity’s internal networks from an external network unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls. (500.12 b)”
Specifically, section 500.1 defines MFA as:
Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic.
Not all MFA solutions are equal. We have found when organizations are forced by regulation to deploy a solution quickly there is often resistance from users, causing friction and frustration with the security team. With Duo’s multi-factor authentication, financial services organizations can secure remote access for all of their users with an MFA solution that is easy to deploy and use, thus reducing the friction of implementing a new security solution which adds the required second layer of security defined in the regulation.
We understand that the users within an organization have varied needs and technical abilities. In order to address this diversity Duo provides several different multi-factor authentication (MFA) methods which provide IT teams the ability to implement authentication while providing their users the ability to select from push-based notifications on a mobile/wearable device, one-time passcodes, Universal 2nd Factor (U2F) devices, phone callback, SMS passcodes, or hardware security tokens.
Adaptive Authentication and Policy Enforcement
The regulations also state:
Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. (500.12 a)
In sum, MFA must be used when accessing internal networks from an external network, unless the CISO has provided written approval to use reasonably equivalent, or more secure, access controls. (Section 500.12: Multi-factor Authentication, effective date: March 1, 2018)
Risk-Based Authentication means any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected. (Section 500.01 Definitions)
As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges. (500.07)
With Duo's endpoint visibility, you can get insight into the different users and devices accessing your applications so you can create and enforce policies that limit access based on risk.
Duo's solution allows you to enforce role-based access policies to grant or block access attempts by the user, device, or based on contextual factors - such as location, network address ranges, biometrics, device security and more.
This gives financial organizations the ability to implement a more dynamic/adaptive authentication solution that can help meet risk-based requirements, per the NYDFS cybersecurity regulations.
To comply with the NYDFS Cybersecurity Regulation, all financial institutions within scope, including third-party service providers, need to protect access to their internal networks with multi-factor authentication (MFA); adaptive authentication or risk-based authentication; and enforce policies to limit access privileges. Duo’s security platform can help protect users, devices, and applications with strong authentication and access controls.
Options Technology, the largest MSP serving the leading global investment banks, hedge funds, exchanges and other financial services firms, found “our customer satisfaction (CSTAT) scores have gone through the roof since we started using Duo. It may not be all Duo, but it played a big part in scores of 4.87 out of 5.”
Give Duo a try and see for yourself why so many financial services companies and insurance companies have deployed Duo to meet their MFA and application control requirements. Contact us today for a free demo or try Duo Security.