NY DFS, NIST and NAIC align on multi-factor authentication in financial services

The New York State Department of Financial Services (DFS) regulates over 1,400 insurance companies and approximately 1,500 banks and financial institutions. Not surprisingly, with New York being the “financial capital of the world,” the overwhelming majority of U.S. financial institutions and many international institutions with operations in NY fall under DFS regulation.

Given the widespread cyberattacks on U.S. financial institutions, the DFS published its Cybersecurity Requirements for Financial Services Companies. Some of the requirements went into effect in late 2017, while others were deferred under a transition period. As one of 16 critical infrastructure sectors defined by the U.S. Department of Homeland Security, the financial services industry has since turned to the identity and access management, and cybersecurity, sectors for guidance. 

Many of the provisions of the DFS regulation go into effect around the same time as the National Institute of Standards and Technology (NIST) will be finalizing the Framework for Improving Critical Infrastructure Cybersecurity, version 1.1. 

According to NIST, version 1.1 of the Cybersecurity Framework “added a Subcategory to address authentication and some language refinements were made within the Identity Management and Access Control Category.” Version 1.0 did not specifically call out authentication, leading to confusion among the sectors.

The DFS regulation includes 22 separate provisions covering policies, procedures, and implementation requiring financial services organizations to better protect data. Described in more detail below, are two of its provisions: multi-factor authentication and application security.

Section 500.12: Multi-factor Authentication

(Effective Date: March 1, 2018)

Based on a risk assessment, effective controls must be implemented to protect against unauthorized access to non-public information or information systems. The controls may include multi-factor authentication (MFA) or risk-based authentication. In sum, MFA must be used when accessing internal networks from an external network, unless the CISO has provided written approval to use reasonably equivalent, or more secure, access controls.

Although the regulation still requires MFA, it is not so restrictive as to mandate a specific NIST Authenticator Assurance Level as defined in NIST’s Digital Identity Guidelines. Financial services organizations may select from a variety of authentication solutions.

MFA technology has come a long way since the days of PKI smart cards. Financial services organizations can comply with the DFS while deploying user-friendly, secure solutions.

One could argue that security vendors have achieved, or are very close to achieving, a balance between security and usability. Biometric-enabled mobile devices have opened the floodgates to innovation. Mobile devices are equipped with a high-quality camera capable of capturing images and video of the user’s face, and microphones to leverage voice recognition technology.  Fingerprints, voice and facial recognition are being used across many industries, including banking and insurance. In addition, there has been a migration away from one-time password (OTP) hardware tokens to secure, OTP apps and push notifications. As a result, compliance may be just a matter of deploying technology already in use by customers, for internal controls.

Section 500.08: Application Security

(Effective Date: September 1, 2018)

The DFS rule emphasizes written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications and procedures for evaluating, assessing or testing the security of externally developed applications. Additionally, procedures, guidelines and standards “shall be periodically reviewed, assessed and updated as necessary by the CISO.”

Let’s assume that most organizations can already check the box that they comply with 500.08. However, compliance is one thing – while truly securing applications is another. With the continuous migration of end-users to mobile devices, financial services organizations should shield and harden mobile applications and build this important step into their product development and release cycles to protect the integrity of data and transactions.

Mobile apps offer ease of use and instant access from a smartphone but can increase exposure to malware and real-time attacks during execution. By adding mobile application shielding, the financial institution can choose to:

• Cause the application to terminate when it detects a security issue; or
• Provide a notification to the application, which specifies the security check results, so the application can decide how to proceed (e.g. notify the user about potential security risks).

NAIC Insurance Data Security Model Law

In December 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law, leveraging many of the provisions of the DFS Cybersecurity Requirements.

Given the large-scale breaches that have affected the insurance industry over the past few years, it is surprising that the multi-factor authentication requirement is not included in the model law. However, the model law does suggest using effective controls, which may include MFA. It would be very surprising if the states omit MFA as the model law is adopted and implemented nationwide. 

Identity management and multi-factor authentication play a critical role in cybersecurity. Too many breaches of late could have been avoided if organizations had deployed MFA solutions instead of relying on static passwords.  The actions taken by the New York DFS, NIST and NAIC reinforce the need for financial services – and all enterprises for that matter – to leverage modern technologies to protect sensitive information.