NYDFS Issued Industry Guidance on Multi-Factor Authentication

On December 7, 2021, the New York Department of Financial Services (NYDFS) issued Industry Guidance for all regulated entities on Multi-Factor Authentication (MFA) as an essential technical control required by the Cybersecurity Requirements for Financial Services Companies regulation 23 NYCRR § 500.12 of NYCRR Part 500 of the New York Codes, Rules, and Regulations.  

NYDFS cited lack of effective MFA as the leading cybersecurity gap exploited in cyber-attacks and referenced MFA “being absent, not fully implemented, or configured improperly” as the most common cybersecurity weakness exploited at financial services companies.  

From January 2020 to July 2021, NYDFS found that approximately 64% of covered entities that reported cybersecurity events had some gap in their MFA and more than 18.3 million consumers were impacted by cyber incidents in which covered entities had MFA failures. 

MFA protects against unauthorized access to nonpublic information or information systems and is essential for cybersecurity and to meet regulation requirements. NYDFS states that MFA is important for all businesses, whether large or small, and cautions that entities exempt from requirement to implement the cybersecurity control are at high risk without it. NYDFS reviewed many incidents involving small businesses where cybercriminals exploited the fact that MFA was not implemented. In addition to adoption of MFA for protection from unauthorized access, NYDFS encourages testing to validate the effectiveness of MFA implementation and specifies that any exceptions should be scrutinized. The NYDFS MFA Guidance details common violations related to MFA and provides remediation recommendations for large and small entities.  

The purpose of NYDFS cybersecurity regulation is to bolster the financial services industry’s defenses against cybersecurity attacks to protect financial markets and consumers’ private information. The Department’s Cybersecurity Requirements for Financial Services Companies became effective March 1, 2017, with a two-year implementation period. The final effective date for the regulation was March 1, 2019, by which time, NYDFS regulated entities were required to have written and implemented cybersecurity policies and procedures to ensure the security of nonpublic information and information systems. 


The Department referenced two enforcement actions settled in 2021 against companies that were required to implement MFA but had not fully done so, which failed to prevent unauthorized access to their nonpublic information. NYDFS disclosed that it is increasing its review of MFA during examinations, with particular emphasis on probing for common MFA failures detailed in the MFA Guidance. 

To read NYDFS Industry Guidance on Multi-Factor Authentication: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211207_mfa_guidance