Digital Authentication in the Age of NY’s DFS Cyber Regulations

SDO Marketing Staff | May 2, 2018

Amongst the wide range of data legislation being cranked out by governments over the past several years, the New York State Department of Financial Security’s (NYS DFS) cyber regulations are some of the most important and influential.

As New York City is very much the “financial capital” of the globe, regulations codified by State authorities affect a large swath of the business world. These new rules governing digital security, many of which came into effect only recently in March, now effect some 1,400 insurance companies and 1,500 banks and financial institutions.

The Risk Assessment Scheme

The overall purpose of the Regulations is to take a risk-based approach to the application of its requirements.

This is good as it gives companies a lot of flexibility as to how to go about their network security. The potential downside is that with this leeway comes a lot of responsibility.

The DFS is demanding enterprises step up to the plate and take initiative on which aspects of their system security need strengthening. This will have particularly big implications for companies when it comes to choosing the right authentication tools.

 

New Standards in Authentication

The DFS regs touch on pretty much every area of an organization’s operations. These include requirements to:

  • set up digital “asset inventory and device management” to account for all the access points to systems
  • regular “penetration and vulnerability assessments”
  • creating “application security” protocols for in-house developed software
  • updating cybersecurity personnel with threat intelligence and research

One of the most consequential of all of DFS’s new cyber laws is the much-cited Section 500.12 on Multi-Factor Authentication or MFA.

The opening section of the DFS regulations states in no uncertain terms that “identity management” is one of the pillars of a viable financial system in the digital era. To this end, Section 500.12 requires MFA be applied for accessing internal company networks from an external network. It also calls for MFA or similar security tools for any engagement with private information such as identification or financial details, even when accessed from within the organization’s network.

What this means for businesses operating in New York, is that organizations will need to adopt authentication tools to guarantee higher levels of security for personal identity. Only in this way can companies hope to achieve compliance with DFS’s new standards.

 

Perfect Timing for a Paradigm Shift in Authentication

While multi-factor tools have been around for a while, the industry has been slow in adopting them.

This has been due to a variety of factors, not the least of which is a poor integration of user experience, or UX, on many new platforms.

One the one hand, companies want to offer efficient UX in order to achieve smooth operations for employees and unfettered access for clients. At the same time, banks and other financial institutions, with the billions of dollars of assets they safeguard, have had to contend with the security reality and the need to integrate additional layers for identity protection.

From the perspective of the DFS, the time was ripe to establish rules on authentication integrity.

On the security end, the outdated nature of traditional, password-based systems has never been clearer, with the overwhelming majority of hacks having resulted from weak passwords.

In terms of user experience, the industry began to produce tools to minimize all the drawbacks of UX users once had to live with.

Giving Users the Edge

When it comes to authentication, regulation compliance no longer has to mean trading efficiency for strength.

Deploying the authentication system of Secret Double Octopus allows users to have the best of both worlds. Based on the mathematically unbreakable Secret Sharing scheme, the Octopus Authenticator gives users the edge by providing impeccably smooth user experience along with unmatched identity security.

Additionally, Secret Double Octopus provides the most dynamic solution for company operations, by eliminating passwords, and with them, all the logistics involved in their storage and maintenance.