How to Meet NYDFS Mandates with Identity & Access Management

Introduction

Given the advent of new and evolving compliance regulations, including recent landmark mandates from the New York Department of Financial Services (NYDFS), impacted technology professionals need to ensure that their organisations employ modern solutions that augment the capabilities of traditional Identity and Access Management (IAM).

This white paper is designed for Information Technology (IT) and Information Security (IS) professionals and technology-focused executives, and reviews the NYDFS IAM-related mandates and their impact on the organisations that are subject to them (“Covered Entities”), as well as specific solutions from Okta, including Adaptive MFA and Lifecycle Management, that can help Covered Entities ensure compliance with the new NYDFS mandates. Please note that this white paper, while discussing legal topics and analysing certain regulations, does not constitute legal advice. If you or your organisation needs legal advice regarding the topics covered here, please contact an attorney.

All content included by Okta in this white paper is provided for informational purposes only.

On March 1, 2017, the NYDFS Cybersecurity Requirements went into effect as defined under 23 NYCRR Part 500. The new rule applies to nearly 1,900 banking and other financial institutions, whose collective assets total more than $2.9 trillion, and all insurance companies that do business in New York state, which includes nearly 1,700 insurance companies whose collective assets exceed $4.2 trillion. The new mandates affect licensed lenders, state-chartered banks, trust companies, service contract providers, private bankers, mortgage companies, insurance firms doing business in New York, non-U.S. banks licensed to operate in New York, and many other organisations. NYDFS mandates cast a wide net—far beyond just financial firms operating in New York.

While many of the existing compliance mandates prescribe specific actions or requirements, the NYDFS guidelines focus on a cybersecurity program risk assessment to determine the adequacy of a Covered Entity’s best practices and policies to mitigate identified risks. Effective IAM, specifically in the form of Multi-Factor Authentication (MFA) or equivalent measures, is now required by the NYDFS. Specifically, section 500.1 defines MFA as follows:

Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic.

Additional sections that are pertinent to effective IAM include:

Risk-Based Authentication means any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.

NYDFS also describes how each Covered Entity needs to implement and maintain cybersecurity policies. One of the areas explicitly covered as part of the cybersecurity policies relates to access controls and identity management. Covered Entities must prove they have effective IAM measures in place to eliminate or reduce unauthorised access to sensitive information by hackers, phishers, insiders, or third-parties.

The new mandates indicate that the NYDFS views IAM as the first line of defence in protecting vital customer and business information. If a Covered Entity’s IAM authorisation processes are not well defined, are too permissive, or are ineffectively maintained, other tactics—such as encryption or data breach detection—will not be as effective in accomplishing the goals of the NYDFS cybersecurity guidelines.

Under the new mandates, identity has become an even more critical control point and plays a vital role in preventing credential-related security risks. For many Covered Entities, an improved IAM posture is required to ensure compliance. Implementing MFA, Lifecycle Management and other solutions can help ensure compliance through simplicity for administrators and users, secure authentication across all applications, and extensibility throughout the entire organisation and security stack.

 

The Security Landscape

Cybersecurity attacks have increased dramatically over the past decade and most are related to two key areas of concern for IT and IS professionals:

Weak or Stolen Credentials

Cybersecurity attacks are increasing drastically as organisations expand the use of cloud and mobile apps. For IT and IS professionals, staying ahead of the risks is a difficult and demanding challenge. The Symantec April 2017 Internet Security Threat Report validates that over the last 8 years, more than 7.1 billion identities have been exposed in data breaches. The 2017 Verizon Data Breach Investigation Report documents that more than 80% of data breaches involve stolen or weak identity credentials. Privacyrights.org has reported that over the past few years, 893 publicly acknowledged breaches resulted in over 172 million lost records. This concerning statistic does not include one of the largest breaches reported by credit agency Equifax in September 2017, wherein social security numbers and birth dates for 143 million people were stolen by hackers.

Phishing Attacks

The 2016 Verizon Data Breach Investigation Report also validates that over 90% of phishing attacks target user credentials. These attacks are becoming more frequent and sophisticated and usually entail phishing or spear phishing under the heading of “social engineering.” Despite frequent efforts undertaken by organisations to educate users about this threat, credential phishing is still rampant. Simple password protections are no longer adequate. In the typical enterprise, 73% of passwords are duplicates and up to 40 services are often registered to one email account. The average user only has five passwords for these accounts, which hackers can now easily crack.

The potential for non-compliance with the new mandates has increased dramatically as phishing and other attacks escalate, and as regulated organisations have less control over passwords, mobile devices and networks employed by users. Each time an employee connects to an open network at a local coffee shop, the possibility for a breach that requires notices to affected consumers and certain government bodies occurs. Under 23 NYCRR 500.17(a)(1), this type of data breach constitutes a Cybersecurity Event and must also be reported to the NYDFS.

Given these concerning facts, improving identity validation is now one of the most important tasks that IT and IS professionals can undertake. Implementing effective MFA and Lifecycle Management solutions, such as those from Okta, can help improve your overall cybersecurity and IAM posture while ensuring compliance with the everevolving NYDFS regulations.

 

WPR nydfs cyber attacks