NYDFS Cybersecurity Regulation Affects Insurance & Finserv Sectors

Earlier this year, the New York State Department of Financial Services (NYDFS) significantly increased the cybersecurity requirements for any financial services company doing business in the state. Given that New York City is the “Financial Capital of the World”, there are few organizations unaffected by the Cybersecurity Requirements for Financial Services Companies regulation.
Section 500.12, requires all covered entities to use multi-factor authentication (MFA) for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the:
- Banking Law;
- Insurance Law; or
- Financial Services Law.
Covered entities have until March 1, 2018 to comply with the MFA requirement.
Insurance Industry
Many of the cybersecurity provisions included in the NY State DFS regulation could also affect the insurance industry.
- Leveraging the DFS regulation, the National Association of Insurance Commissioners (NAIC) is currently working on an Insurance Data Security Model Law.
- On August 7, 2017, the draft was approved by the Innovation and Technology Task Force.
- Pending approval by the NAIC Executive Committee, it will be sent to the Joint Meeting of the Executive Committee and Plenary for vote by all NAIC members.
As a model law, states may choose to adopt or reject, in whole or in part. If a state adopts the Insurance Data Security Model Law, it becomes the statutory law of that state, meaning many of the cybersecurity provisions included in the NY DFS regulation, including multi-factor authentication, could also affect the U.S. insurance industry.
Equifax Breach Prompts Warning
In light of the 2017 Equifax breach, DFS proposed to extend its data protection rules to credit reporting firms and has also issued a warning to banks and issued guidelines on how to limit damage.
With 143 million breached credit files out on the Dark Web, the DFS recommends that banks, “review due diligence/Know Your Customer processes used in credit applications to understand the source and reliability of the data, and consider using identify verification fraud services to verify the process.”
We Can Help You Comply with the Cybersecurity Regulation
At VASCO, we are uniquely positioned to help with compliance.
As a global leader in digital solutions for identity, security and business productivity, VASCO can help your organization enable trust in the digital world. More than half of the top 100 global banks rely on VASCO to protect their online, mobile and ATM channels.
We can help with:
- Identity verification and multi-factor authentication
- Fraud prevention
- Mobile application protection
- Risk analysis
To learn more about multi-factor authentication, visit vasco.com.