The New York Department of Financial Services has issued new regulations (codified in N.Y. Comp. Codes R. & Regs. tit. 23, Pt. 500) imposing cybersecurity requirements on “covered entities” and “third party service providers”.
A “covered entity” is defined under these regulations as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services law” (Ibid.§ 500.01[c]), while a “third party service provider” is basically defined as a person “who provides services to the Covered Entity . . . and . . . maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.” (Ibid. § 500.01[n])
To put this in simpler terms, our clients who are licensed/registered as a mortgage banker or mortgage broker under the New York Banking Law would be considered Covered Entities, while Docutech is considered a Third Party Service Provider for such clients. Further details about New York’s cybersecurity regulations and whom they apply to can be found here: https://www.dfs.ny.gov/about/cybersecurity.htm.
These new rules promulgate (inter alia) the following:
“(a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.
(b) Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.” (Ibid. § 500.12)
While the text of this section applies only to Covered Entities, Ibid. § 500.11(b) requires Covered Entities to have policies and procedures which “include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers”, which includes that “the Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information” (Ibid. § 500.11[b][1]).
Due to this, we are introducing new settings in our system which (when enabled) require multi-factor authentication for accessing certain accounts in our system. “Multi-Factor Authentication” under the new regulations is defined as:
“. . . authentication through verification of at least two of the following types of authentication factors:
1. Knowledge factors, such as a password; or
2. Possession factors, such as a token or text message on a mobile phone; or
3. Inherence factors, such as a biometric characteristic.” ( Ibid. § 500.01[f])
This new setting will be available April 6, 2018 and further details about it are provided in Release Notes 4.8.2. If you have any questions or concerns about these changes, please contact Client Support at 1.800.497.3584.