What is the source of these laws/regulations?
23 NYCRR 500 (Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York), also known as New York's "Cybersecurity Requirements for Financial Services Companies".
SOURCE: 23 NYCRR 500. This documentation comes from the official website of New York's Department of Financial Services and can be found under Industry Guidance > Cybersecurity Resource Center > Text of Regulation (link: https://www.dfs.ny.gov/industry_guidance/cybersecurity).
Who does this apply to?
Financial services entities -- including insurance agencies -- doing business in the state of New York.
What are the relevant sections of the law?
Section 500.11 part (c) - Defines "Covered Entities" to include insurance agents.
Section 500.11 - Defines the relevant "Third Party Service Provider" policy.
Section 500.12 - Clarifies guidelines pertaining to Multi-Factor Authentication
Your responsibility under the law (as it related to Agency Revolution)
You must complete periodic questionnaires regarding your cybersecurity compliance, which are to be referenced in a document prepared each year by your firm's designated security officer. Depending on your corporate structure, that may be handled at your individual DBA level or handled by your larger BD/RIA.
These regulations were made effective in 2017 with a period of 2 years to comply, which means that as of January 2019 you should be in compliance.
Is Agency Revolution in Compliance with the Multi-Factor Authentication law?
In short: Yes.
Here's a simple summary addressing the regulations as defined in section 500.12, parts a and b.
Part (a) - We primarily utilize Risk-based Authentication across all FMG companies including Agency Revolution. In some cases, we are using various MultiFactor methods as well, particularly in relation to the outside networks mentioned in Part B.
Part (b) - In relation to access from our definition of 'Outside Network', we require multiple authentication factors for the restricted staff allowed to access collected datasets and/or production databases.
Does the law require multi-factor authentication for my Fuse end-user login?
In Short: No.
New York's regulations say you must gather information regarding the cybersecurity of your customers' data on the third-party products you use. This does not directly relate to your individual access to the end-user tool (i.e. - your login for your Fuse account). It relates to the cybersecurity and privacy measures of the company operating the product (i.e. - FMG Suite / Agency Revolution).
Put simply, these regulations relate to how Agency Revolution handles its own internal access to the data -- for example, our developers' access to the underlying database and application servers running the product -- not to your individual Fuse user logins.
How you protect your own passwords and monitor your user accounts is up to you. That is your procedure to describe in the report that NY requires. What you need to know from us is that we operate internally using the industry standards required by New York.
Will Fuse accounts ever start requiring Multi-Factor Authentication?
It's not planned at this time. We have many users under these and similar regulations, but multi-factor authentication is not required and there seems to be little interest in adding it for end-user logins. Among marketing services, it is basically unheard of to require it and rare to even find it as an option.
That being said, this topic is reviewed periodically by our management team and we will, of course, make adjustments if and when necessary.
Need additional information or documentation? You can email our Director of Information Security, Gabriel Cooper, at email@example.com