NYDFS issues new guidance on required use of MFA under its Cyber Regulation
Yesterday, on December 7, 2021, the New York State Department of Financial Services (“NYDFS”) issued Guidance on Multi-Factor Authentication (“Guidance”), reminding all regulated entities (or “Covered Entities”) that the use of multi-factor authentication (“MFA”) is required by the NYDFS Cyber Regulation. The Guidance also makes clear that MFA is a “focus” of the agency’s cybersecurity supervisory and enforcement work, and highlights several causes of MFA gaps that have resulted in liability under the regulation. A regulated entity is any person or organization “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR § 500.1(c). Because the Cyber Regulation mandates third-party risk management requirements, even if an organization is not directly governed by the regulation, NYDFS requirements still may be imposed by virtue of contracts, client guidelines, and other B2B mandates. A brief synopsis of the Guidance is as follows.
NYDFS states that between January 2020 and July 2021, the agency “found that more than 18.3 million consumers were impacted by cyber incidents reported to [NY]DFS … in which Covered Entities had MFA failures,” and that 64% of Covered Entities that reported a Cybersecurity Event to NYDFS during that timeframe “had some gap in their MFA.” The five “most common” causes for a MFA gap or failure are as follows. (Remember – according to NYDFS, these causes still resulted in a violation of the Cyber Regulation.)
- Organizations employ legacy systems that do not support MFA. According to the Guidance, gaps in MFA coverage arise from organizations employing “outmoded applications and systems” that do not support MFA, including Microsoft email services which employ only basic, non-MFA legacy authentication. According to the Guidance, in several incidents, the threat actor exploited a legacy system that the organization did not realize remained active.
- MFA employed by organizations for remote access does not cover key applications. While most VPN services require MFA, according to the Guidance, many organizations have email and other applications that can be accessed without VPN access and without use of MFA. A “common problem” identified by NYDFS is a lack of MFA for cloud-based services, including O365 and G-Suite.
- MFA is not required for third parties having access to internal networks. In some reported incidents, organizations had not required MFA for third parties accessing internal networks. As an illustration, the Guidance states that “insurance companies sometimes do not require MFA for independent insurance agents who have access to sensitive consumer information – such as social security numbers and drivers’ license numbers – on the insurance companies’ information systems.” Organizations “must require MFA or the use of reasonably equivalent or more secure access controls for all third parties accessing information systems with nonpublic information.”
- MFA setups and rollouts are not completed in a timely manner. The Guidance recognizes that an MFA rollout can be slow, leaving gaps in MFA coverage. The Guidance states that “[g]ranting remote access permissions and configuring MFA for users should be done with the direct oversight of one or more designated individuals,” and that organizations “should track and enforce compliance with the MFA requirement.” NYDFS further states that organizations “should plan transitions to avoid gaps in MFA usage and implement compensating controls during temporary gaps.”
- Poor Exceptions Management. The Guidance also uncovered incidents with MFA gaps – resulting in regulatory liability – where organizations “granted too many exceptions to MFA policy or allowed permanent exceptions,” such as where a member of senior management of an organization refused to use MFA. According to the Guidance, “[e]xceptions to the MFA requirement should be granted sparingly, tracked, and last only as long as necessary.”
According to the guidance, MFA should be viewed “as a key component of all access controls,” and organizations should consider the following:
- MFA for Privileged Accounts: Organizations “should use MFA for all privileged accounts, as discussed in our Ransomware Guidance, and by the Cybersecurity & Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation in their warning to remain vigilant against malicious cyber actors.
- Not all Forms of MFA are Equal: “Push-based MFA is more susceptible to human error than token-based MFA .... With token-based authentication, a user is less likely to unwittingly grant access to a cybercriminal because the user must proactively enter a passcode.” In addition, text message-based MFA is vulnerable to SIM-swapping.
- Oversight of MFA: Organizations should also test and validate the effectiveness of MFA implementation. IT audits, penetration tests, and vulnerability scans should include verification of MFA control strength, with material weaknesses reported to senior management.
Finally, finding that “[s]mall businesses find themselves increasingly in the crosshairs of cyber criminals eager to exploit a lack of MFA,” NYDFS advises that small businesses should implement MFA and “urges” small businesses to avail themselves of GCA’s Cybersecurity Toolkit for Small Business and other available resources, such as CISA’s Cybersecurity Awareness Program Small Business Resources, to implement MFA. As the agency notes, “[w]hile many small businesses licensed by DFS are exempt from the requirement to use MFA for remote access, unfortunately they are not exempt from being targeted by cybercriminals.”
Regulated entities are urged to head NYDFS’s guidance and recognize MFA as what the agency describes as a critical and “essential part” of cyber hygiene and a risk management program. Particular attention should be afforded to legacy systems that do not support MFA. To the extent such systems are still needed by the entity, entities should prioritize consideration of whether such systems should be deactivated. Covered enterprises also should prioritize their scrutiny of remote access applications and third party access to their systems and non-public information.