NYDFS Cybersecurity Regulation Affects Insurance & Finserv Sectors

Michael Magrath,

Earlier this year, the New York State Department of Financial Services (NYDFS) significantly increased the cybersecurity requirements for any financial services company doing business in the state. Given that New York City is the “Financial Capital of the World”, there are few organizations unaffected by the Cybersecurity Requirements for Financial Services Companies regulation.

Section 500.12, requires all covered entities to use multi-factor authentication (MFA) for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the:

  • Banking Law;
  • Insurance Law; or
  • Financial Services Law.

Covered entities have until March 1, 2018 to comply with the MFA requirement.

Insurance Industry

Many of the cybersecurity provisions included in the NY State DFS regulation could also affect the insurance industry.

As a model law, states may choose to adopt or reject, in whole or in part. If a state adopts the Insurance Data Security Model Law, it becomes the statutory law of that state, meaning many of the cybersecurity provisions included in the NY DFS regulation, including multi-factor authentication, could also affect the U.S. insurance industry.

Equifax Breach Prompts Warning   

In light of the 2017 Equifax breach, DFS proposed to extend its data protection rules to credit reporting firms and has also issued a warning to banks and issued guidelines on how to limit damage.

With 143 million breached credit files out on the Dark Web, the DFS recommends that banks, “review due diligence/Know Your Customer processes used in credit applications to understand the source and reliability of the data, and consider using identify verification fraud services to verify the process.”

We Can Help You Comply with the Cybersecurity Regulation

At VASCO, we are uniquely positioned to help with compliance.

As a global leader in digital solutions for identity, security and business productivity, VASCO can help your organization enable trust in the digital world. More than half of the top 100 global banks rely on VASCO to protect their online, mobile and ATM channels.

We can help with:

To learn more about multi-factor authentication, visit vasco.com.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).