One regulation we help clients with is the New York State DFS 23 NYCRR Part 500 compliance.
Who does DFS regulate?
According to its website: “DFS is the primary regulator for all state-licensed and state-chartered banks, credit unions, and mortgage bankers and brokers. All mortgage loan servicers doing business in New York State must be registered or licensed by DFS. The Department also oversees all of the insurance companies operating in New York, licenses all of the budget planners, finance agencies, check cashers, money transmitters, and virtual currency businesses operating in New York.”
The requirements of part 500 are generally nothing out of the ordinary, or rather, nothing more than what is already considered good practice in the cybersecurity world.
But then there is this:
Section 500.12(b): “Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.”
Like everyone else before me who read this requirement, I understood it to mean the common practice of requiring MFA whenever someone accesses a company’s local area network, or perhaps cloud-based core infrastructure from outside. Teleworking.
Then in September, there was an addition to the FAQs here https://www.dfs.ny.gov/industry_guidance/cyber_faqs which reads as follows:
Are cloud-based email, document hosting, and related services part of a Covered Entity’s internal networks which would require the use of Multi-Factor Authentication (“MFA”) pursuant to 23 NYCRR § 500.12(b)?
Yes. Under Section 500.12(b), MFA is required when accessing internal networks from an external network unless the Covered Entity’s Chief Information Security Officer has approved in writing the use of reasonably equivalent or more secure access controls. Internal networks include email, document hosting, and related services whether on-premises or in the cloud such as, for example, O365 and G-Suite. These services contain Nonpublic Information that Covered Entities are required to protect.(emphasis added)
I read this over about 5 times. Do they mean that they consider all SaaS applications as a company’s “internal network?” What do they mean by “related services?” Is this limited to document storage or are logs also part of this requirement? Is the part about NPI a requirement for the requirement, or just dicta? It wasn’t at all clear.
So I sent an email to their cybersecurity address for some clarification, or at least the name of the case this rule came from, but no reply was forthcoming.
Then I went about finding the case to see what the agency’s finding actually was. And I did. The case in question is “In the Matter of National Securities Group.”
After reading the case over, I could see why no one from the cybersecurity department at DFS wanted to answer my questions. The case is confusing. There are several places that repeat similar holding like clauses but are ambiguous. It also seems to be about an architecture where O365 “accessed” the company’s “internal network” which suggests that there was a hybrid setup with, presumably, an onsite Exchange server somewhere. I guess? Or do they mean that a connection with O365 counts as access to the internal network it was accessed from? Hard to tell. Then in other parts it doesn’t seem to matter if there was a connection back to the “internal network”.
In any event, after reading the case over several times and piecing it together, I was able to synthesize a rule that I believe will safely satisfy DFS. This is what I tell my clients:
- If a cloud application has any non-public information (NPI) in it, it must have MFA implemented.
- Any cloud application that can access your internal network must have MFA implemented regardless of the kind of information stored in that application.
Does this logically follow from the text of the statute? No.
Is it a good rule? Yes.
Treating cloud applications as part of your internal network is exactly how you should be handling your cybersecurity. I am seeing a clear trend away from managing any network infrastructure at all unless absolutely necessary. For many clients, especially newer businesses, SaaS applications contain all of their data, and they may not have what we think of as an “internal network” at all.
If you need any assistance with DFS compliance, please don’t hesitate to contact Digital Edge. We have an experienced Compliance team ready to assist you in any way you need.