The Clock Is Ticking on NY-DFS MFA Requirements

Home » Blog » The Clock Is Ticking on NY-DFS MFA Requirements

On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”). As a result of investigating hundreds of cybersecurity incidents, Part 500 was amended, increasing the amount and type of security measures organizations are expected to implement to gain sound cyber resilience.

This amendment became effective on November 1, 2023.

What Are the Identity Protection Requirements in the New Amendment?

Section 500.12 of the amended part 500 states MFA is required in the following:

  1. Remote access to the covered entity’s information systems;
  2. Remote access to third-party applications, including but not limited to cloud-based apps from which nonpublic information is accessible; and
  3. All privileged accounts other than service accounts that prohibit interactive login.

Failure To Meet These Requirements Results in Large Fines

The DFS issued this notification on November 23rd, 2023:

‘The New York State Department of Financial Services (DFS) today announced that First American Title Insurance Company (First American) will pay a $1 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) stemming from a large-scale cybersecurity breach in May 2019. The breach contributed to the exposure of consumers’ nonpublic information. In addition to penalties, the company has agreed to implement significant remedial measures to better secure consumer data.’

There’s no reason to assume that failing to comply with the new amendment will have different results. For that reason alone, it should serve as an incentive to all organizations to fully adjust their defenses to the amended requirements.

The Identity Protection Implication: Ransomware Spread and Lateral Movement

Privileged accounts are the leading attack surface abused by ransomware actors. Every high-scale ransomware attack seeks to plant a malicious payload in as many machines as possible. The way to achieve that is by compromising the credentials of a privileged account and using it to log in to as many machines as possible.

In that sense, the amendment is spot on: placing MFA on all privileged accounts significantly reduces the likelihood of such an attack – as long as it actually covers all of them.

Not All MFA Solutions Are Born Equal: Checkbox Mindset Can Get You Pwned

The coverage of your chosen MFA solution is critical. Let’s assume you purchase an MFA solution, deploy it based on the MFA vendor’s recommendations, and leave a portion of admin access uncovered. Let’s also assume that this portion will be abused during a cyberattack, exposing the confidential data you’re entrusted with. In that case you’ll probably be found liable, and the fact that the other portion of administrative access was secured will not change a thing.

360 Admin Access Coverage: Command-Line Access, Legacy Apps, and IT Infrastructure

You need an MFA solution that can ensure all admin access is protected. There are MFA solutions that struggle with anything beyond web/SaaS, VPN, or RDP. When choosing your solution, make sure it can cover the access methods commonly abused by adversaries. Prominent examples include:

Command-line access

Command-line access tools such as PsExec and Remote PowerShell are the prime vector adversaries use to gradually spread in a compromised environment.

File shares

Adversaries abuse file shares to simultaneously plant and execute malicious payloads in multiple machines – a far more efficient method than accessing each machine individually.

Legacy apps

Many organizations run core operation processes on legacy applications, making them a lucrative target for ransomware actors.

IT infrastructure

Adversaries strive to gain access to the management interface of an IT or security solution in your environment, as it would give them unlimited access to your resources.

All these examples introduce a significant challenge to most MFA solutions in the market and in many cases are not covered at all. To comply with the amended NY-DFS MFA requirements, you should ensure they are covered and protected.

Learn how Silverfort MFA enables you to meet NY-DFS requirements.

Stop Identity Threats Now