How Okta helps New York financial service companies comply with new MFA requirements

In 2017, the New York Department of Financial Services (NYDFS) issued new requirements concerning Identity and Access Management (IAM). The intent was clear: to protect institutional and customer data by requiring multi-factor authentication (MFA) or equivalent measures.

In practice, however, the strengthening of Identity-based security has been slow to materialize. So slow, in fact, that in 2021 NYDFS issued a letter underscoring their concern about the pace of changes made in response to the initial ruling.

The result: Far too few financial service firms are adapting to new regulations with modern MFA practices. We’ll outline how Okta can help financial services firms comply with new MFA rules and set themselves up for success in the long run with an Identity platform that delivers business and security wins across the organization.

Key compliance dates

The Cybersecurity Implementation Timelines are dictated based on your of business categories. Use the official links below to review the most up-to-date compliance date requirements based on your classification.

• Implementation Timeline for Small Businesses
• Implementation Timeline for Class A Businesses
• Implementation Timeline for Covered Entities

In the following chart, you’ll find upcoming key compliance dates.

Common issues adopting MFA

The security threats facing financial services firms are serious, and Identity remains the #1 attack vector in today’s threat landscape. Over 80% of data breaches involve some form of compromised Identity. (Verizon, 2024)

But as they work to navigate an increasingly sophisticated threat landscape, many financial service companies are encountering stumbling blocks that delay or prevent the security modernization they need to meet at the moment. These are a few of the main culprits:

Legacy IAM systems

A top obstacle for financial service organizations looking to comply with new NYDFS rules is legacy Identity that simply can’t support MFA. Outmoded applications and systems tend to limit organizations to basic forms of authentication like username/password credentials even though some of these legacy systems have announced the rollout of more modern authentication methods, that transition has been extremely slow to offer companies the enterprise-level MFA they need. Financial service organizations can’t afford to wait; they need modern authentication options that enable secure access to essential workforce systems, platforms, and applications.

What’s more, legacy systems often undermine the ability to 1) maintain unified visibility into who has access to what and 2) enforce consistent least-privilege access protocols through a well-defined access request process. Legacy Identity often consists of a fragmented patchwork of different solutions, making it different for security teams to verify if the organization is suffering from access sprawl or improper enforcement of access policies. Bottom line: In addition to MFA, financial services organizations need robust Identity governance and security posture management.

Third-party vulnerabilities

Most financial service companies understand the application of MFA within their fulltime workforce. But many companies fail to extend these protocols to third parties such as partners and contractors, permitting these essential collaborators to access nonpublic information without requiring MFA. This not only increases the risk of a breach, but it also directly violates the NYDFS MFA requirement.

Other issues

• Weak multi-factor authentication, like SMS one-time passwords, are easy for bad actors to circumvent and may undermine NYDFS compliance.
• Privileged accounts should be the highest priority when it comes to securing access with MFA, but many financial services companies are falling short.
• Remote access requires specific security protocols such as additional, content-specific authentication, but many firms either don’t take this into account or nconsistently mplement remote access protocols.
• Inconsistent authentication policies with more companies leveraging SaaS solutions their authentication policies and MFA requirements are not always consistently applied leading to gaps that are not known.

A look at the full opportunity

For one or more of these reasons, many financial services firms are struggling to comply with NYDFS’s MFA requirements, which leaves them vulnerable to both potential regulatory action and breaches initiated by bad actors.

But as they work to modernize their workforce Identity in alignment with a shifting regulatory landscape, financial service organizations shouldn’t limit their approach to Identity to MFA. For starters, this will only prolong their game of catch-up. By neglecting to get ahead of tightening cybersecurity norms, their security teams are likely to run the same problem over and over again: the limitations built into their legacy Identity solutions.

Perhaps more importantly, taking a leap into truly modern Identity offers a wealth of business-furthering opportunities. Identity is more than a login box. With the right Identity solution, financial services can drive meaningful improvements across the board –– we’re talking about better security and business outcomes.

Let’s get into how, starting with the most pressing issue: MFA.

How Okta solves for MFA

Okta supports full compliance with the access and authentication requirements detailed in the NYDFS ruling. Our unified approach to Identity allows financial services companies to bring their IAM, Identity governance and administration  (IGA), and privileged access management under one platform, which mitigates the risks associated with fragmented legacy Identity and supports better compliance.

Okta Adaptive MFA

Okta Adaptive MFA, including Desktop MFA, meets all requirements for compliance with the MFA mandate spelled out in the NYDFS guidelines Section 500.12 and helps ensure security for all user groups across virtually any application. MFA must be enforced for access to the cloud, hosted systems, on-premises apps, workstations, servers, etc. By leveraging contextual information from each login, Adaptive MFA is able to add an extra step to authentication in situations that are deemed high-risk –– e.g., login from a new device or unrecognized network.

This enables high levels of security and ease of use across the entire organization by reducing risk from compromised passwords, streamlining the user experience, and better protects the device and all that can be accessed via the device.

Okta Identity Security Posture Management

With Okta Identity Security Posture Management an organization can:

• Proactively assess Identity risk posture
• Continuously uncover critical misconfigurations and gaps, such as inconsistent MFA enforcement, and account sprawl
• Prioritize and remediate the most pressing issues based on risk severity

Okta Lifecycle Management

The new NYDFS mandates specify that access controls must be “based on the individual facts and circumstances presented” –– that is, grounded in clearly defined policies that determine access based on the organizational specifics of your business. Okta Lifecycle Management supports this level of access management by helping IT and security teams easily set access and entitlement rules based on attributes such as group membership. Lifecycle Management also sets a new standard for visibility by giving security leaders a unified view of who has access to what, which helps prevent the over-permissioning that can lead to improper access.

The full benefit of Identity-powered security

The regulatory and industry landscapes are constantly shifting. To adapt, financial services organizations need a security solution that also acts as a business driver. Within Workforce Identity that means integrating secure, seamless Identity functions across the organization to achieve three far-reaching goals:

• Strengthening security posture by extending context, risk signals, and policy-based automation across every Identity action and decision.
• Doing more with fewer resources by consolidating Identity into a single view to reduce complexity and allow manual processes to be automated.
• Driving agility by speeding up requests, approvals, and critical access to important resources without compromising security.

Complying with new NYDFS MFA requirements is only the most pressing of financial service organizations’ Identity needs. To remain secure and competitive amidst ever-changing risk, regulatory, and business environments, you need a unified Identity solution that helps your organization lead the pack in workforce security and core efficiency KPIs. Thousands of customers worldwide rely on Okta to achieve their security goals.

Want to learn more about how Okta can support better compliance, better security, and better business? Schedule a demo with our team and see our Okta Platform in action.