Overview of the NYDFS Cybersecurity Regulation Update

On November 1, 2023, the New York Department of Financial Services (NYDFS) introduced its second amended Cybersecurity Regulation (23 NYCRR Part 500). The amendments, influenced by extensive public feedback, introduce several significant changes, including heightened cybersecurity requirements for large licensees known as “Class A Companies.” Compliance with these new requirements is mandated by April 29, 2024, with certain provisions having extended transition dates.

Focus: Automated Blocking of Commonly Used Passwords

One notable requirement is the implementation of an automated method to block commonly used passwords for all accounts on information systems owned or controlled by Class A Companies, and wherever feasible, for all other accounts. This measure is designed to enhance security by preventing the use of weak passwords that are easily exploitable by cyber attackers.

“Each class A company shall monitor privileged access activity and shall implement an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts.”

Who Must Adhere?

The automated password blocking requirement applies specifically to “Class A Companies.” According to the regulation, a Class A Company is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and either:

Over 2,000 employees on average over the last two fiscal years, including affiliates; or over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates.

Implementation and Enforcement Timeline

The requirement for automated password blocking became enforceable on April 29, 2024. Organizations who do not yet meet this requirement are encouraged to implement these measures as soon as possible to avoid penalties and make their environment secure.

Enforcement and Fines

The NYDFS has established stringent enforcement provisions for non-compliance with the cybersecurity regulation. Covered entities found to be non-compliant may face significant punishment, including financial fines. The exact amount of the fines can vary based on the severity of the non-compliance and the potential impact on the entity’s cybersecurity posture.

Detailed Requirements for Class A Companies

Each Class A Company must:

• Automate Password Blocking: Implement an automated method to block commonly used passwords. This solution must be in place for all accounts on information systems owned or controlled by the Class A Company. If it is not feasible for certain accounts, the Chief Information Security Officer (CISO) must approve the infeasibility determination and ensure the use of reasonably equivalent or more secure compensating controls.
• Monitor Compliance: The implementation and effectiveness of the password blocking solution should be monitored regularly. The CISO is responsible for ensuring the compliance and adequacy of these controls.
• Regular Audits: Conduct regular audits to verify that the automated password blocking solution is functioning correctly and effectively preventing the use of weak passwords.

Compliance Strategies

To fulfill this requirement in the simplest, most secure, and cost-effective manner, Class A Companies should focus on protecting both employee and customer accounts.

Enzoic offers two solutions that make NYDFS compliance straightforward and automated for both employee and customer/member accounts.

1. Employee password protection with Enzoic for Active Directory
2. Customer/user password protection with Enzoic’s APIs

Eliminate Compromised Passwords in Active Directory with Enzoic

Enzoic for Active Directory is an easy-to-install plugin that provides a frictionless way to identify, monitor, and remediate unsafe passwords. It offers a comprehensive solution for ensuring password security and compliance with the NYDFS regulation.

• Automated Password Blocking: Enzoic for Active Directory ensures that new passwords comply with a configurable password policy every time a password is created. It blocks commonly used and compromised passwords automatically, enhancing security across your organization.
• Continuous Monitoring: Credentials are continuously monitored against Enzoic’s active threat collection database. This ensures that any exposure is detected in real-time, keeping your password security up-to-date.
• Automated Response: When a user’s information is detected in a data breach, Enzoic automates remediation with actions such as requiring a password reset or disabling the account, ensuring immediate response without additional administrative burden.
• Real-Time Credential Protection: By screening username and password pairs at creation and monitoring them daily, Enzoic helps organizations stay ahead of potential threats and maintain a strong security posture.

Benefits of Enzoic for Active Directory

• Time Savings for System Admins: System admins can operate efficiently with customization options and remediation controls that align with organizational needs.
• Enhanced User Experience: End time-based password resets and reduce help desk calls by automatically responding to exposed credentials, impacting only those using unsafe passwords.
• Easily Achieved Compliance: With Enzoic for Active Directory, compliance with NYDFS and many other requirements is achieved with minimal effort.

Get Started with Enzoic for Active Directory

Try Now: Eliminate commonly used and compromised passwords in your environment. Download and try free for up to 20 users.

Product Demo: Watch a full product demo to understand how Enzoic for Active Directory can help enhance security, save time, and reduce administrative costs.

Protecting Customer Accounts on Login with Enzoic’s APIs

While securing internal accounts is crucial, extending password security measures to customer-facing applications is equally important. Enzoic’s Passwords API provides a powerful solution for ensuring users create secure passwords upon account creation and protecting customer and member accounts at each login, helping organizations comply with the NYDFS Cybersecurity Regulation by preventing the use of compromised or commonly used passwords.

How Enzoic’s APIs Enhance Customer Account Security

Enzoic offers RESTful APIs that enable real-time password and credential screening and continuous monitoring for customer accounts. By integrating these APIs into your applications, you can:

• Screen Passwords at Creation and Change: When a customer creates a new account or changes their password, Enzoic’s Passwords API can check the password against a comprehensive database of compromised and commonly used passwords. If the password is found to be unsafe, the API prompts the user to choose a more secure password, thereby preventing the use of weak credentials.
• Ongoing Password Monitoring: Enzoic’s Passwords API can continuously monitor your customers’ passwords against new data breaches and password exposures. If a customer’s password is detected in a breach, the API can trigger automated actions such as prompting for a password reset after verifying the user’s identity at next login, enhancing security without manual intervention.

Compliance with NYDFS Requirements

By implementing Enzoic’s Passwords API for customer account protection, organizations can meet the NYDFS’s requirement to block commonly used passwords wherever feasible, not just for internal accounts but also for customer-facing systems. This proactive approach demonstrates a commitment to cybersecurity best practices and regulatory compliance.

Benefits of Using Enzoic’s APIs

• Real-Time Protection: Immediate detection of compromised passwords at the point of entry ensures that unsafe passwords are blocked before they can pose a risk.
• Improved User Security: Encouraging customers to use strong, uncompromised passwords enhances the overall security of your system and protects both the user and the organization from potential breaches.
• Seamless Integration: Enzoic’s APIs are designed to be easily integrated into existing systems with minimal development effort, providing a quick path to enhanced security.
• Scalable Solution: Whether you have thousands or millions of users, Enzoic’s APIs can scale to meet your needs without compromising performance.

Get Started  

Explore the Documentation: Learn more about Enzoic’s APIs and how they can be integrated into your systems.

Contact Us: For personalized guidance on incorporating Enzoic’s Dark Web monitoring into your login flows, submit the form, and a technical resource will be in touch.

Interactive Demo: Try our online interactive demo to see how Enzoic’s APIs work in real-time (pictured below). The API will flag a password at login if it’s found in Enzoic’s database of weak, commonly used, and compromised passwords.

Compliance and Peace of Mind

Compliance with the NYDFS Cybersecurity Regulation is now mandatory for Class A Companies. Implementing automated methods to block commonly used passwords is essential not only to meet regulatory obligations but also to secure the accounts of your employees and customers/members. Enzoic’s solutions for both employee and customer account protection offer an effective and automated way to achieve compliance. If your organization hasn’t yet adopted these measures, it’s important to act immediately to avoid penalties and protect your environment.

 

 

AUTHOR

---

Josh Parsons

Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.