The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) requires New York banks, insurance companies and other regulated financial services organizations— including agencies and branches of non-US banks licensed in the state of New York—to assess their cybersecurity risk profile. The regulation is designed to protect consumers and to “ensure the safety and soundness of the institution,” as well as New York State’s financial services environment.
There are resources available to help you take a proactive, data-driven approach to comprehensive cybersecurity and bring your organization into full compliance, protect valuable data and safeguard sensitive customer information. Aquiring a copy of the regulation is a great start.
One key requirement of the regulation is multifactor authentication (MFA). With 81% of data breaches involving weak or stolen credentials, authentication is the key to securing 81% of those data breaches. Yet it is so often overlooked. Credentials are in the hands of every employee, customer and IT staff member.
In section 500.12, NYDFS requires all covered organizations to have MFA in place by March 2018: “each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.” Nonpublic information is largely personally identifiable information such as names, social security numbers, etc.
Crossmatch takes the human error element away and allows passwordless environments. With a wide range of authentication factors, users can authenticate easily and securely. Our DigitalPersona composite authentication approach offers the broadest set of factors, creating the right mix of authentication options for every user, moment by moment. We go beyond traditional authentication to provide risk-based factors that deliver the strongest, most complete protection available to secure your network, applications and digital assets.
In the end, compliance to regulations alone will not make organizations safe. The bad news is that NYCRR 500 will take planning and effort for organizations to comply. The good news is that the regulation is well-crafted and aligns with sound information security practices such as ISO 27001 and NIST/FISMA. In addition, it will reduce risk of data breach.
Authentication solutions which are secure and convenient—as well as compliant—are the real goals for an organization. Going beyond what you know, who you are and what you have opens up new ways to achieve security, convenience and compliance.
Stefan Loi is an experienced Information Security Advisor and Regional Manager at Crossmatch for the authentication practice (DigitalPersona®). With 15+ years in the industry, he is skilled in Identity and Access Management and helping Chief Information Security Officers develop an effective IAM strategy. Stefan holds a Bachelor of Science degree from the London School of Economics and has held regional and product management roles at Dell Technologies, Quest Software and Telecom Italia Information Technology.