On December 7, 2021, the New York Department of Financial Services (“NY DFS”) released an industry letter providing guidance on Multi-Factor Authentication (“MFA”). MFA, which requires users of information systems to provide an additional “factor,” often through a one-time code or push notification to their mobile device, in addition to their password when accessing information systems. MFA is required under 23 NYCRR Part 500 (the “Cybersecurity Regulation”), but not for certain small entities subject to the limited exemption under 500.19(a). In its recent letter, the NY DFS observes that, based on its review of cybersecurity notifications received as required by its Cybersecurity Regulation, many cybersecurity events would have been prevented if MFA was in place ahead of time. Our firm’s Incident Response Team shares this observation.
The NY DFS letter also observes that effective implementation of MFA requires proper configuration and implementation, and notes several common deficiencies, including: delayed rollouts or special exceptions for resistant users; overreliance on non-MFA compensating controls, such as with insurance portals accessed by independent third party agents; and the use of sms-text messaging as an MFA solution. Part of the problem is that selecting the appropriate MFA solution is also a challenge. Confusion is inherent to the nuanced technical differences among MFA solutions. For example, sms-text messaging, is vulnerable to attacks that allow attackers to intercept text messages. The NY DFS notes that better solutions rely on token or push notification based systems, but even robust MFA solutions can fail when users are inattentive or subject to successful social engineering attacks.
Referencing industry sources, the NY DFS estimates that the cost per employee of MFA is $33. Considering the effectiveness of a properly configured and implemented MFA solution and the costs of cybersecurity events, MFA may be the most cost-effective tool as part of the information security program securing information systems. Although smaller entities subject to the 500.19(a) exemption are not required to implement MFA, the NY DFS recommends MFA implementation as a cost-effective solution for preventing cybersecurity events.