Site Search
 

Who Must Perform a Detailed MFA Risk Assessment?

NYDFS Regulated Entities

If you are regulated by the New York Department of Financial Services (NYDFS), you must perform an MFA risk assessment in order to be in compliance with Part 500.12, with a written compliance certification signed by board of directors or senior officer due Feb 28, 2019. The regulation mandates implementation of multi-factor or risk-based authentication, based on a risk assessment. Unless you perform a detailed MFA risk assessment, how can you determine your risk and what type of authentication you need and be in compliance?

Why?

Failure to perform a detailed MFA risk assessment, implement proper internal controls and attain compliance by the deadlines carries significant risks:

  • License or charter revocation (e.g. NY DFS can revoke license or charter and shut down business)
  • Civil money penalties
  • Data breaches or fraud (e.g. gaps and blind spots allowing criminals to break in and steal consumer data or commit massive fraud)
  • Class action lawsuits (e.g. state Attorneys General or private plaintiff class action lawsuits alleging non-compliance and consumer harm)

 

Additionally, a detailed MFA risk assessment will enable implementing the optimal type and level of authentication so you can prevent fraud and data breaches across the enterprise, reduce consumer acquisition costs and prevent abandonment costs, while ensuring a frictionless experience for your consumers.

Who Should Perform a Detailed MFA Risk Assessment?

All Other Entities

All entities should perform a detailed MFA risk assessment in order to mitigate risk and ensure safe and sound operations. Additionally, the National Institute of Science and Technology (NIST) has issued the Digital Identity Guidelines describing the standards for multi-factor authentication. So, unless you perform a detailed MFA risk assessment, how do you know where your risks are, whether your internal controls are adequate, where you are using multi-factor authentication, whether it is adequate and commensurate with the risks, and what type of authentication you need to prevent data braches and fraud, while ensuring frictionless experience for your consumers and continuing growth of your business?

Why?

Failure to perform a detailed MFA risk assessment and implement proper internal controls carries significant risks:

  • Regulatory enforcement action or penalties (e.g. Your federal or state regulator can assess enforcement action or penalties for unsafe and unsound operations)
  • Data breaches or fraud (e.g. gaps and blind spots allowing criminals to break in and steal consumer data or commit massive fraud)
  • Class action lawsuits (e.g. state Attorneys General or private plaintiff class action lawsuits alleging unsafe and unsound operations and consumer harm)
 

 

The MFA Risk Assessment

Neustar’s team of nationally recognized subject matter experts have developed the Multi-Factor Authentication (MFA) Risk Assessment to enable all entities to perform a comprehensive risk assessment, attain compliance and mitigate risks. There is no cost for anyone to download and use the MFA Risk Assessment. It follows industry best practices operational risk assessment methodology and is modeled after the FFIEC Cybersecurity Assessment Tool, NIST Digital Identity Guidelines, NIST Cybersecurity Framework and other authoritative sources. It is easy to use and will quickly identify your gaps, weaknesses and blind spots across the enterprise so you can implement timely risk mitigation.

Here’s how it works:

  • You register and download the Excel file.
  • The MFA Risk Assessment is an Excel file and is easy to use, including built-in instructions. You simply identify for enrollment, transactions and process across the enterprise, in particular digital channel and contact center, whether you are using authentication, whether it is multi-factor and whether you have compensating controls to determine not only inherent risk, but also adequacy of controls and residual risk. This way you can identify gaps, weaknesses and blind spots. Also, you can then identify missing controls and see impact to residual risk so you can identify the target state necessary and your corrective action plan to attain compliance and mitigate risks.

    Snapshots of the MFA Risk Assessment with the Built-in Risks, Controls, etc.

     
    MFA screen

Free Webinar

Watch Neustar's free on-demand webinar: "Multi-factor Authentication: What You Must Do to Remain Compliant."

View Webinar