Multi-factor authentication is a method of authenticating users on an information system and requires them to go through multiple steps to access that information system. Commonly, this is accomplished through a combination of a username and password, followed by a requirement for the user to prove their identity again through a notification sent to their mobile device, or by inputting an additional code.
Why is MFA important?
The New York State Department of Financial Services stresses the importance of proper MFA usages and controls for all covered entities in its latest guidance. According to the DFS, approximately 64% of covered entities that reported cyber security events from January 2020 to July 2021, had a gap somewhere in their MFA. The DFS found that more than 18.3 million consumers were impacted by these MFA failures across the nation—and 870,000 of them were New Yorkers.
The frequency of these MFA-related cyber incidents has made this issue DFS’ focus. In its guidance, the DFS announced that it will be increasing its review of MFA during examinations and it will probe for common MFA failures.
DFS suggests best practices
The DFS identified five common areas involving MFA that have led to cyber incidents:
Legacy Systems that do not support MFA. The first area that the DFS identified is the continued use of outdated systems—referred to as legacy systems—that do not support MFA. The Microsoft email system was cited as the most exploited legacy system. To prevent issues, the DFS recommends electing to use a system that employs modern authentication tools, and to keep a proper inventory of Information Technology assets to ensure old legacy systems are not still online.
MFA for remote access fails to cover key applications. While many covered entities utilize Virtual Private Network services that require the use of MFA, many covered entities have email or other applications that can be accessed without VPN access. The DFS cited a lack of MFA for cloud-based services, such as O365 or G-Suite, as a common issue in many cyber incidents. The DFS recommends MFA be in place for remote access to all applications and systems, including those that can be accessed without authentication through a VPN.
Lack of MFA for third parties. Not requiring the use of MFA by third parties that may have access to a covered entity’s information system was another area in which breaches were common. For this issue, the DFS uses independent insurance agents as an example. The guidance states that, sometimes, insurance companies do not require MFA for independent insurance agents who have access to sensitive consumer information. This has led to cyber incidents involving phishing and credential stuffing. The DFS recommends that all third parties be required to use MFA to access a covered entity’s information system.
MFA setups and rollouts that are not completed in a timely manner. A fourth common issue is slow or incomplete roll out of MFA. The DFS cited instances in which covered entities instituted an MFA self-setup, which required each employee to set up their MFA credentials individually. This resulted in an incomplete roll out of MFA protections and, ultimately, to a cyber incident. To avoid a similar situation, is the DFS recommends that covered entities’ implementation of MFA should be done with direct oversight and with a plan in place that will eliminate security gaps.
Poor exceptions management. A final common area that the DFS identified is poor-exceptions management. It found that some covered entities had granted MFA exceptions to too many users and, often, without reason. The DFS cited the usage of so-called “C-Suite exemptions,” in which a senior member of a covered entity refused to use MFA. The DFS stressed that MFA exceptions should be granted sparingly—if at all—and should not be granted based on the seniority or unwillingness of the user.
MFA best practices
The DFS recommends that covered entities to consider MFA a as a key component of all information-system access controls. To that end, the DFS recommends several additional MFA best practices:
Use MFA for all privileged accounts. User accounts with additional privileges—such as the ability to add or remove software to an information system—should always use MFA.
Consider what type of MFA you should use. Generally, MFA methods involve either push-based MFA or token-based MFA. Push-based MFA requires the user to accept a prompt on a mobile device. Token-based MFA requires a user to enter a single-use passcode manually, which is generated by a computer program. Push-based MFA can be more susceptible to human error than token-based MFA (e.g., such as when a user approves access errantly).
Test and validate MFA implementation. The DFS also stressed the importance of covered entities testing and validating the effectiveness of MFA implementation. IT audits, penetration tests and vulnerability scans should include verification of MFA-control strength, and identification of weaknesses or gaps in the implemented and configured MFA.
What does this mean for agents?
The DFS guidance letter applies to all covered entities underNew York Cybersecurity Regulation (23 NYCRR 500). Already, the regulation requires the use of MFA for certain covered entities that do not qualify for a 500.19(a) exemption, as part of its cyber security plan. Covered entities that do not qualify for that exemption should review the DFS guidance carefully to ensure their MFA practices do not leave them vulnerable.
Agencies that do qualify for a limited exemption under 500.19(a) are not explicitly required to incorporate MFA at this time. However, the DFS has advised that those agencies still take steps to adopt MFA. The DFS reported that, of the small businesses that reported cyber security events to the department between January 2020 and June 2021, approximately 82% had MFA deficiencies. To find out if you qualify for a limited exemption under 500.19(a), access Cybersecurity regulation—limited exemption in the Ask PIA library.
If you’re interested in MFA, the DFS has partnered with the Global Cyber Alliance to bring GCA’s Cybersecurity Toolkit for Small Business to financial-services companies. The tool kit includes practical tools and instructions for implementing the essentials of cyber security hygiene.
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.