NYDFS Cybersecurity Regulation Mandates Multi-Factor Authentication

March 1st marked the moment at which financial services entities in New York must be in compliance with several sections of the New York Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500. The regulation, which seems to lean heavily on the NIST Cybersecurity Framework, is in response to “the ever growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors” and their ability to exploit technological vulnerabilities to gain access to sensitive data. It’s meant to protect not only financial services institutions, but their customers as well who have entrusted them with confidential data. Given the financial services industry is a high profile target for hackers - Verizon’s 2017 Data Breach Investigations Report found that 24% of reported breaches affected financial organizations, the highest of any industry - the regulation provides a foundation for improving the security posture in these organizations as it requires them to establish key elements of a secure digital organization like a cybersecurity program and appointing a CISO. The NYDFS cybersecurity regulation also has global reach as it can apply to any international financial services organizations that has branches in New York as well.  

As of last week, organizations that fall within the purview of the regulation (essentially any medium to large sized financial services entity in New York) will now have to comply with basic standards including:

  • Financial Services
    Financial services entities in New York now must comply with several sections of the NYDFS cybersecurity regulation.

    Annual CISO reports to the board on the cybersecurity program and material cybersecurity risks 

  • Penetration testing and vulnerability testing

  • Periodic risk assessment of technology systems

  • Use of multi-factor or risk based authentication

  • Regular cybersecurity training for employees

In September, more deadlines will follow for compliance in areas including audit, data retention and disposal, monitoring and detection of unauthorized access, and data encryption.

As a digital identity company, ForgeRock is well versed in providing multi-factor authentication (MFA) - the need to verify a knowledge factor (ex - password), possession factor (ex - push notification), or inherence factor (ex - biometrics). Our Advanced Authentication offering provides over 25 out-of-the-box authentication modules to fit the needs of your business, including device fingerprinting and one-time password. And we can also help you go beyond basic compliance to use digital identity in creative ways to improve the customer experience. For instance, ForgeRock offers passwordless login via push notifications, fine grained authentication and authorization, and a continuous security approach to ensure the authenticity of people, services, and things. In our most recent release, we introduced authentication trees. They provide fine-grained authentication by allowing admins to create customize, and integrate multiple paths and decision points throughout a user’s authentication journey. This provides more granular control over user security and the ability to create complex yet customer-friendly authentication experiences.

Additionally, ForgeRock offers risk-based authentication that monitors a user’s behavior and context and requires an additional factor of authentication when the pattern of usage deviates from a baseline, raising the risk score. This helps you to deliver a secure experience no matter the device or location of your user and also improves the customer experience by only requiring step up authentication when truly necessary. The adaptive risk engine constantly assesses the authenticity of users, devices (things), and services.

As institutions consider their deployment of new authentication methods, the regulatory demand can be seen as an opportunity to deliver more efficient access seamlessly across services and devices. While MFA is important, the rapidly changing threat environment requires more advanced security solutions. Hackers are well funded, highly motivated, and very creative. Your security solutions need to evolve to address these threats. The varied vectors for attack, often generated by phishing and the escalation of privileges once inside the network, means that access to high value data and its repositories needs a combination of granular access control, combined with easy-to-use authentication. To help adapt to new threats, the ForgeRock Identity Platform integrates seamlessly with third party authentication providers (check out the innovative solutions offered by our Trust Network technology partners). Leading organizations are exploring how authenticated access can be extended to trusted third parties, through brokers and agency networks and via APIs to partners and clients.

ForgeRock delivers identity-centric security, at scale, for some of the world’s most trusted global financial servicesbrands including GEICO, Thomson Reuters, and HSBC. While the NYDFS regulation covers a wide range of cybersecurity requirements, it’s further evidence that identity is a critical piece of the puzzle for ensuring the protection and privacy of employees and customers.

To learn more about ForgeRock for Financial Services, visit https://www.forgerock.com/industries/financial-services

Check out our access management page for more on our MFA and adaptive risk solutions.