How recent New York State cybersecurity regulations could affect your business

How recent New York State cybersecurity regulations could affect your business

Regulated industries must now consider the broad implications of operating in New York and doing business with end-users in New York.

23 NYCRR Part 500 , a recently revised mandate from the New York State Department of Financial Services (NYDFS), is a set of cybersecurity regulations to protect customer data and organizations against cyber threats and fraudsters. This broad and far-reaching regulation applies to any entity operating under NYDFS licensure, including banks, insurance companies, and other financial institutions. The regulation mandates a comprehensive cybersecurity program, risk assessments, and specific security measures.

MFA Requirement for 23 NYCRR Part 500

The revised 23 NYCRR Part 500 regulation requires comprehensive MFA and account protections to safeguard platforms, organizations, and end-users against identity attacks.

The MFA requirement under 23 NYCRR Part 500 is a critical component designed to enhance the security of financial institutions' information systems and protect against compromised credentials. The regulation mandates using MFA to ensure only real, unique humans can access digital platforms and personal information.

What is Multifactor Authentication (MFA)?

Amendments to New York’s first-in-the-nation cybersecurity regulations mandate new controls for MFA, including but not limited to:

• Mandatory Implementation: Financial institutions must implement MFA for any individual accessing internal systems from an external network unless the CISO has approved using reasonably equivalent or more secure access controls in writing.
• Access to Non-public Information: MFA must be used to protect any non-public information, such as sensitive customer data and critical operational systems.
• Remote Access: MFA is required to access the entity's internal network remotely.
• Equivalence or More Secure Access Controls: If MFA is not used, the institution's Chief Information Security Officer (CISO) must approve the use of alternative controls that are equally or more secure. These alternatives must be documented and justified.

How to comply with 23 NYCRR with Twilio Verify for Identity Verification and Protection

Twilio Verify is a purpose-built API tailored for MFA, offering various channels to suit diverse user preferences and needs. By providing multiple authentication channels through a single API, Twilio Verify empowers developers to create customizable and user-friendly MFA experiences, enhancing security while catering to diverse user preferences and accessibility requirements.

SMS OTPs, or One-Time Passcodes, offer a familiar and straightforward user experience, requiring only a mobile phone number, simplifying the verification process and reducing friction in user interactions. As an out-of-the-box experience, Verify manages the complexities of building and maintaining authentication logic as well as the nuances of the telephony ecosystem.

With Verify, organizations get all the delivery channels, including those added in the future, and global optimization, monitoring, maintenance, insights, and fraud controls right out of the box. Some of Twilio's largest customers have deployed Verify in as little as two weeks, with little to no ongoing maintenance overhead. Twilio Verify can help organizations strengthen their defenses and comply with regulatory requirements such as 23 NYCRR Part 500 with an added layer of seamless authentication and identity intelligence.

Learn more about Twilio User Authentication & Identity

SMS MFA Today and Future-proofing for Tomorrow

SMS is a popular choice for MFA since almost everyone has a mobile phone. However, newer higher assurance authenticators such as authenticator apps, hardware tokens, biometric authentication, and push authentication offer greater security than traditional SMS-based methods. SMS alternatives can be less susceptible to SIM swapping , SMS pumping fraud (artificially inflated traffic), and SMS phishing attacks .

Alternatives for SMS-based MFA on the Verify API include:

• Silent Network Authentication : Silent Network Authentication (SNA) is a secure authentication method that protects end-users, accounts, and transactions without requiring users to wait or leave a mobile app. It uses direct carrier connections to verify possession of a phone number in the background without requiring user input.
• Time-based one-time passcodes (TOTP) : Mobile authenticator apps generate OTPs or send push authentications, which are more secure than SMS OTPs. End-users have various free options available for consumer use, including Authy or Google Authenticator. Authenticator apps function even without cellular service or data.
• Push Authentication : Verify Push verifies users by adding a low-friction "push" authentication factor in your mobile apps. This service allows you to seamlessly verify users in-app via a secure channel, without the risks, hassles, or costs of OTPs.
• Passkeys (on top of WebAuthn): WebAuthn, a browser-based API, uses registered devices for secure user authentication through public key cryptography, protecting against phishing. Passkeys are an industry standard that eliminates passwords and makes authentication more secure while keeping things user-friendly. Verify Passkeys is a strong authentication choice for users with Authy or Google Authenticator on their mobile device or computer.

Some newer technologies are not as universally adopted, making SMS OTPs valuable as fallback mechanisms.

Start building with Twilio Verify

The MFA requirement is a critical measure for improving the security of financial institutions. Requiring multiple verification forms ensures that access to sensitive systems and data is carefully controlled, reducing the risk of unauthorized access and potential breaches. MFA helps comply with regulatory requirements and strengthens the organization's security posture.

Now that you know more about the regulation and our products, check out Verify – we can't wait to see what you build!