Under the 23 NYCRR 500, each Covered Entity must implement “effective controls” based on its Risk Assessment to protect against unauthorized access to Nonpublic Information. This is a rather imprecise call-to-action on its own, but NY DFS provides further clarity as to its expectations.
Specifically, the implication is that multi-factor authentication is expected. So, what exactly does this mean?
Until the last several years, you could think of most authentication as “single-factor”; if you wanted to sign into an account somewhere, you had your username (that may be known to others, such as an email address, for example) and a password that only you knew. This password was the single “factor” for authenticating that you were who you said you were.
As data breaches became more sophisticated and users continued to choose easy-to-guess passwords, security experts developed a new way of authenticating that users were who they said they were, called multi-factor authentication. In essence, you could choose two or more of the following categories to make a user prove their identity:
- Something you know. For example, a password, passphrase or security question.
- Something you have. For example, a key, smart card, temporary text message code or USB token.
- Something you are. For example, your fingerprint, retina scan or facial recognition.
Forcing a user to prove more than one of these is multi-factor authentication. Kind of like when you go to get your drivers license renewed and they make you show proof of address, your Social Security Number and a form of identification. You can’t show only one document and get your new license.
Reg 500 in New York mandates that multi-factor authentication be used for any individual accessing the Covered Entity’s internal network from an external network. The concern is that an outsider would find a way to steal a simple password and access the company’s information systems remotely.
There are only two ways around this requirement. The first is if the Chief Information Security Officer of the Covered Entity approved the use of reasonably equivalent or more secure access controls. This needs to be done in writing and is a tall order. Multi-factor authentication has quickly become the de facto standard for information protection. It’s like having airbags in your car now – it is just expected.
The only other companies that do not have to implement multi-factor authentication are those with exemptions. Many small companies will be exempt from certain provisions and this is likely one of them.
For those that must comply with this provision, it is important to base the implementation of multi-factor authentication on your Risk Assessment. Identify the areas of greatest exposure and develop a plan for meeting this requirement in a consistent and effective way.