500.12 Multi-Factor Authentication

Requirement Challenges

• Many organizations face challenges with determining the scope of applications, systems, users, etc., that require MFA.
  
  
• Legal applications that do not support the implementation of MFA but are housing important data.
  
  
• Ensuring MFA works seamlessly across multiple third-party applications and cloud-based systems require careful planning.
  
  

Our Implementation Recommendations

• Risk-Based Approach: A risk-based approach to MFA implementation where the level of authentication strength is proportional to the sensitivity of the information being protected and the potential impact of a security breach. Institutions should focus on the criticality of applications and prioritize high-risk systems.
  
  

   

• User Experience: Balancing security and usability is crucial. Firms should consider MFA solutions that are effective yet user-friendly to ensure compliance and user adoption.
  
  

   

• Compensating Controls: When MFA is not a viable option, but an equally strong security measure is required by the regulations, Capco supports institutions in developing strategies (network segmentation, application whitelisting, enhanced monitoring, etc.) to limit risk exposure.
  
  

500.15 Encryption of Nonpublic Information

Requirement Challenges

• Identifying and categorizing sensitive data (structured / unstructured) for encryption can be technically complex and costly for institutions.
  
  
• Organizations must ensure their system of record / database of applications (such as CMDB) is accurate and up-to-date in order to scope NPI data correctly.
  
  

Our Implementation Recommendations

• Institutions should be diligent about scoping of applications to ensure any system with NPI data is considered in-scope.

• NPI data must be encrypted at rest and in-transit.

Capco's Solution

NYDFS 500 Expertise

• Vast experience for assessing NYS DFS 500 compliance
  
  
• Capco-owned accelerators to streamline the assessment, limit cost, and minimize time
  
  
• Market intelligence to calibrate the capabilities to be deployed for each requirement
  
  

Implementation Experience

• We support multiple financial services organizations with the implementation of regulatory remediation initiatives
  
  
• Hands-on experience including in incident response management, resilience, risk assessment, and MFA
  
  

Regulatory Compliance

• Capco has been helping several institutions with regulatory readiness assessments, audit responses and regulatory remediations programs, including on horizontal reviews and DFS assessments
  
  
• Our recommendations are based on market practices and regulatory bodies expectations, targeted and actionable
  
  

How Capco Can Help

Capco is well-versed in providing clients with audit / regulatory readiness for upcoming deadlines, assessment and gap analysis, recurring annual assessments, maturity modeling, and remediation of audit / regulatory findings.