Enterprise-wide MFA validation under NYDFS: are your controls real?

TL;DR: NYDFS fined eight insurance companies $14.2 million after breaches exposed data on more than 825,000 people, while upcoming Part 500 changes will require MFA for any individual accessing any information system and a maintained asset inventory, according to Push Security. Policy-based MFA alone is no longer enough; organisations must prove account-level coverage across every login path.

NHIMG editorial — based on content published by Push Security: NYDFS MFA enforcement and the tightening of Part 500 requirements

By the numbers:

• According to Push data, 2 in 5 accounts are missing MFA.

Questions worth separating out

Q: How should security teams prove MFA compliance across all applications?

A: They should verify MFA at the account and login-method level for every in-scope application, not just at the identity provider.

Q: When does MFA policy fail in practice?

A: MFA policy fails when it exists only on paper or at the central login layer while apps still allow password-based access, duplicate logins, or unmanaged tenant settings.

Q: What do teams get wrong about shadow SaaS and authentication?

A: They often assume unknown apps are low risk until they find a business process attached to them.

Practitioner guidance

• Audit authentication at the account level Verify every active account, login method, and alternate path for each in-scope application instead of relying on IdP-wide MFA status.
• Remove ghost logins during app reviews Disable local passwords, legacy auth routes, and duplicate credentials wherever SSO has been introduced.
• Tie asset inventory to MFA evidence Maintain a continuously updated list of information systems and link each asset to its authentication method, owner, and exception status.

What's in the full analysis

Push Security's full article covers the operational detail this post intentionally leaves for the source:

• How the NYDFS enforcement actions map to specific MFA and asset management failings across insurance providers
• The practical differences between central IdP MFA, app-level enforcement, and account-level validation
• Why ghost logins and shadow SaaS create hidden compliance gaps in real enterprise estates
• What Push Security says its browser-based platform observes across unmanaged apps and login methods

👉 Read Push Security’s analysis of NYDFS MFA enforcement and Part 500 changes →

Enterprise-wide MFA validation under NYDFS: are your controls real?

Explore further

View Full Forum →  |  NHI Foundation Course →