Navigating NY DFS Part 500.12: Multi-Factor Authentication

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.12: Multi-Factor Authentication (Deadline: February 15, 2018)

This section requires that a covered entity, based on its risk assessment, utilize “effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication” to protect nonpublic information and information systems from unauthorized access.

Further, this section requires that multi-factor authentication be used for any individual accessing the covered entity’s internal networks from an external network, unless the covered entity’s CISO approves, in writing, a reasonably equivalent or more secure access control(s).