New York Agencies Issue Multi-Factor Authentication Guidance to Regulated Agencies

On December 7, 2021, the New York Department of Financial Services ("NYDFS") issued guidance on weaknesses associated with multi-factor authentication ("MFA") to assist entities in establishing effective cybersecurity policies and programs.  

According to the NYDFS, MFA weaknesses are the most common cybersecurity gap exploited at financial institutions, and since the enactment of the New York Cybersecurity Regulation 23 NYCRR Part 500, NYDFS reported that more than 18.3 million consumers experienced a “cyber incident,” reported to the NYDFS.

As a result of such exploitation, NYDFS is focused on MFA deficiencies in its cybersecurity supervisory and enforcement work. Specifically, the NYDFS has initiated enforcement actions against organizations which failed to fully implement MFA and subsequently failed to prevent unauthorized access to nonpublic information. NYDFS is also increasing its review of MFA during examinations, placing a particular emphasis on common MFA failures discussed in its guidance.

Common MFA Failures:

A.      Violations of NYDFS’s Cybersecurity Regulation

1)      Legacy Systems That Do Not Support MFA

“Gaps in MFA coverage arise when Covered Entities use outmoded applications and systems (“legacy systems”) that do not support MFA.”

2)      MFA for Remote Access Fails to Cover Key Applications

“While most VPN services require the use of MFA, many Covered Entities have email or other applications that can be accessed without VPN access.”

3)      Lack of MFA for Third Parties That Have Access to an Internal Network with Nonpublic Information

“Covered Entities sometimes do not require third parties to use MFA when accessing their systems and the nonpublic information on them.”

4)      MFA Setups and Rollouts That Are Not Completed for All Users In a Timely Manner

“An MFA setup or rollout that is incomplete or slow can leave gaps in MFA coverage.”

5)      Poor Exceptions Management

“The Department has reviewed cyber incidents that occurred because a Covered Entity granted too many exceptions to MFA policy or allowed permanent exceptions.”

B.      Other Considerations

1)      MFA for Privileged Accounts

“In every case where cybercriminals escalated privileges during a reported Cybersecurity Event, the privileged account lacked MFA.”

2)      Not all Forms of MFA are Equal

“The most common types of MFA used by Covered Entities are token-based or push-based configurations.”

3)      Oversight of MFA

“Covered Entities should also test and validate the effectiveness of MFA implementation.”

Please note, additional commentary for each of these sections is available in the NYDFS guidance.

Although the guidance specifically applies to New York organizations, all entities should conduct a review of their multi-factor authentication policies to ensure best practices are in place and that the common failures are avoided.

If you have any questions or concerns about how this guidance could impact your organization or to have your policies reviewed and updated, please contact Kennedy Sutherland.