The New York Department of Financial Service recently clarified security incident notification requirements and the use of multi-factor authentication. On its FAQ page, the NYDFS added two new questions and answers for financial services companies subject to 23 NYCRR Part 500.

The first answer explains that covered entities must notify the NYDFS of security incidents that occur at a third-party service provider. Even if the third party notifies NYDFS on the covered entity’s behalf, covered entities still must directly notify the department. This requirement helps the NYDFS quickly identify threats and appropriately respond.

The second answer clarifies when covered entities must use multi-factor authentication. Namely, MFA should be used whenever accessing internal networks from an external network. This includes email, document hosting, and related services (whether on-premise or cloud-based). MFA may not be necessary if a covered entity’s CISO documents approval of similar or more secure access controls.

Putting it Into Practice: These updates highlight the importance of having proper breach notification procedures and security controls. Companies are reminded to notify the department of relevant breaches and to enable MFA by default for accessing internal networks.