NYDFS Outlines Common MFA Problems, Steps to Fix Them
The New York Department of Financial Services reiterated last week that rolling out MFA and ensuring its configured properly is essential to reducing cyber risk.
At this point, having a robust form of multi-factor authentication implemented has become a vital part of every organization's cybersecurity posture, especially those still trying to secure a work-from-anywhere workforce.
It's an important component when it comes to securing the heavily regulated financial industry, which is dependent on having a system of trusted authorized access in place.
The New York State Department of Financial Services (NYDFS), which oversees banks, insurance, and financial services firms in New York, reiterated the importance of MFA last week in guidance it issued on the method.
In the letter, NYDFS called MFA weaknesses the "the most common cybersecurity gap exploited at financial services companies" before getting into the biggest problems it usually sees: Organizations wither lack MFA entirely, or fail to have it fully or correctly configured.
Specifically, 64% of organizations that reported a Cybersecurity Event to NYDFS from January 2020 to July 2021 had a gap in their MFA set up.
Unsurprisingly, the pandemic and the influx of people working remotely that it brought has hastened the need for MFA, according to the DFS.
If rolled out too quickly, MFA can be a stumbling block for organizations. NYDFS claims its seen several instances where organizations were using outdated, legacy systems that didn't support MFA or in some cases that the organization's IT department completely forgot about.
The scope of the MFA chosen by companies can be a problem too.
NYDFS claims on several occasions that organizations found in violation of Section 500.12, which requires MFA, didn't implement it to allow employees remote access to apps and systems that can be accessed without a VPN.
Other organizations have neglected to roll out MFA for third parties who access sensitive data like social security numbers and drivers’ license numbers through a portal or app. This information needs to be secured, of course, and MFA, or “reasonably equivalent or more secure access controls,” needs to be used across the board, regardless who is accessing it.
Oftentimes the onus is on the employee to follow through on setting up MFA. This can come back to bite orgs too, NYDFS stresses.
“The Department has seen cyber incidents that occurred because MFA setup was left to the user, and some users never setup MFA. Covered Entities should track and enforce compliance with the MFA requirement,” the guidance reads. “The Department has also reviewed incidents that occurred because of long gaps in MFA coverage during rollouts or transitions to new technology. In some cases these gaps lasted for many weeks or months.”
To remedy these problems, the Department is encouraging organization to implement MFA for remote access and beyond that as necessary as long it can help reduce the risk of unauthorized access. It's also encouraging organizations to use MFA for all privileged accounts, use token-based MFA as opposed to push-based or text-based, and to test the effectiveness of MFA through regular audits.
As NYDFS notes, its Cybersecurity Regulation, which requires nearly 2,000 financial organizations to adhere to a set of prescribed cybersecurity requirements, has pushed companies to use MFA to access company apps or data from an external network since it was enacted in 2018.
But lately, as recently as this year, the NYDFS has begun to assert how seriously it takes the MFA component of the Cybersecurity Regulation. In a settlement in April the department ordered a life insurance and annuities company to pay a $3 million fine because it hadn't implemented MFA for its mail system, along with other third-party apps. This opened the door for attackers, via phishing emails, access to the company's network on several occasions.