Table of Contents
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation has been in effect since 2017 and received significant updates with new amendments in late 2023. By this point, most insurers have established their cybersecurity programs, completed their annual certifications, and aligned their policies with NYDFS standards. The current challenge is not starting the compliance journey, but rather maintaining it while adapting to evolving threats, new digital experiences, and increasing customer expectations.
For insurance CISOs, the focus has shifted from “meeting the rule” to sustaining resilience. NYDFS requirements around authentication, access control, and incident reporting are precise, but applying them consistently across customer portals, agent tools, and broker systems without adding friction is where real leadership shows.
This guide explores how insurers can go beyond baseline compliance by using modern identity and access tools to stay secure, auditable, and effortless to use.
What the NYDFS cybersecurity regulation requires
The NYDFS regulation sets mandatory minimum standards for protecting nonpublic information and securing information systems across licensed financial and insurance institutions. While most insurers are already compliant, the real test lies in applying these requirements across complex broker networks, legacy platforms, and modern customer portals, especially in authentication and access management.
Cybersecurity program and policy
Every insurer must maintain a written cybersecurity policy supported by a risk-based program that covers data protection, system security, vendor management, and incident response.
This means ensuring that identity and access controls, such as authentication flows, session management, and passwordless options, are secure, documented, reviewed, and auditable as part of the cybersecurity program.
Governance and oversight
A designated Chief Information Security Officer (CISO) is responsible for implementing the cybersecurity program and reporting annually to the board. For many insurers, this brings identity and access management into executive-level focus, requiring CISOs to demonstrate measurable control over who can access sensitive policyholder or partner data and how those access privileges are maintained.
Multi-factor authentication (MFA)
NYDFS mandates MFA for any individual accessing any information system, regardless of location or user type. This includes third-party broker portals, agent tools, and customer-facing applications. NYDFS guidance explicitly identifies MFA weaknesses as the “the most common cybersecurity gap exploited at financial services companies.” In practice, the NYDFS recommends token-based, phishing-resistant methods like FIDO2-compliant passkeys and cryptographic authentication.
Risk assessment and vulnerability management
Annual risk assessments and regular penetration tests are required to identify and remediate weaknesses. For identity systems, this includes evaluating authentication endpoints, API integrations, and third-party identity providers for vulnerabilities. Continuous testing ensures that login flows, session tokens, and access APIs remain secure against emerging threats.
Incident response and reporting
Covered entities must notify NYDFS within 72 hours of a material cybersecurity event. These include incidents that require notification to another regulator (making it pretty comprehensive) and scenarios that are likely to significantly harm operations (like credential theft or unauthorized access). .. Your identity systems should log specific forensic details to support this reporting requirement. For example: the authentication method used (e.g., TOTP, email and password, etc.), device fingerprint, source IP address, timestamps, and so on.
Annual certification
Each year, CISOs must certify compliance based on supporting documentation and audit evidence. This requires a clear record of how authentication, MFA, and access controls are enforced and monitored across the organization. Identity logs, policy configurations, and workflow automation tools all serve as essential evidence for NYDFS review.
For insurers, these requirements make identity security more than a technical function. It has become a governance priority. Your approach to customer authentication and access management is not only about convenience or risk reduction but about proving resilience, compliance, and trust in every interaction.
How Descope simplifies compliance without sacrificing experience
Insurance operations face unique authentication challenges that generic identity implementations simply don’t address out of the box.
For example, the fragmentation that brokers deal with daily is rarely resolved by cookie-cutter solutions. These agents frequently access multiple carrier systems throughout the day, each with separate credentials, jumping through endless and disconnected hoops to perform the most basic workflows.
Meanwhile, customer portals often fail to balance security with accessibility: policyholders accessing routine documents shouldn’t face the same authentication friction every time they log in from a trusted device at a known IP address. Yet, in an effort to meet regulations, MFA is treated like an on or off switch rather than a contextual process. Descope’s modern CIAM platform gives insurers the tools to meet NYDFS requirements while delivering the frictionless onboarding and secure experiences customers, agents, and brokers expect.
Strengthen authentication and MFA
Many insurers have met the basic MFA requirement, but most still struggle to balance stronger security with a smooth user experience. Descope helps teams go beyond compliance by making authentication both smarter and easier for customers, agents, and partners.
Adaptive MFA: Step up only when something looks risky, such as a new device or location.
Phishing-resistant MFA: Use passkeys, biometrics, or magic links that are faster and harder to exploit.
MFA augmentation: Add these protections on top of your existing identity systems with no downtime.
Step-up auth for sensitive actions: Trigger extra verification only for high-value actions like policy changes or payouts.
Also Read: How Branch Reduced Auth-Related Support Tickets by 50% With Passkeys
Implement robust access controls
Access control is one of the toughest parts of compliance because insurers must manage thousands of users across customers, agents, and broker networks. Descope simplifies this complexity with tools that make least privilege, delegated access, and oversight easy to implement and maintain.
Tenant-aware authorization: Define access by broker, partner, or customer so each group only sees what’s relevant to them.
Fine-grained authorization (FGA): Apply detailed permissions based on role, resource, or relationship.
Delegated admin widgets: Let brokers and partners manage their own users and roles securely.
Audit-ready logs: Keep complete records of access events to simplify compliance reviews.
Strengthen governance and risk-based controls
Governance and risk management are at the core of NYDFS compliance, but keeping controls effective as threats evolve is a constant challenge. Descope helps insurers automate risk-based decisions and maintain continuous visibility across their identity ecosystem.
Risk-based workflows: Trigger extra verification or block access based on behavioral or device risk signals.
Risk integrations: Connect tools like Forter or Fingerprint for advanced fraud and anomaly detection.
Continuous monitoring: Track and analyze login behavior to detect suspicious activity early.
Also Read: How Navan Added Magic Link MFA in Four Days With Descope
Support secure third-party and broker access
Managing third-party and broker access securely is one of the biggest operational hurdles for insurers. Descope helps teams enforce consistent, compliant access across every partner relationship without adding friction or complexity.
SSO Setup Suite: Streamline SSO and SCIM setup for brokers and partners.
Zero-downtime SSO migration: Upgrade or replace identity integrations without interrupting active users.
Federated login: Let brokers use their existing IdPs while maintaining centralized visibility and control.
Maintain auditability and compliance
Proving compliance is just as important as achieving it, and manual documentation can quickly become a burden. Descope helps insurers maintain continuous audit readiness with automated logging and reporting.
Automated logging: Capture every login, MFA event, and access change for complete visibility.
Exportable reports: Generate evidence of control effectiveness and remediation efforts on demand.
Turn regulatory requirements into a competitive advantage
NYDFS compliance does not have to come at the expense of user satisfaction. With the right approach to authentication and access management, insurers can maintain strong, continuous compliance while creating faster, safer, and more seamless digital experiences for customers, agents, and partners.
Descope helps insurers:
Maintain compliance readiness with phishing-resistant MFA, adaptive authentication, and secure step-up verification
Reduce account takeover and fraud risk through built-in risk signals, breached password detection, and behavioral analysis
Simplify audits with automated logging, real-time monitoring, and exportable reports for NYDFS certification
Unify customer and broker identities across all portals and apps, ensuring consistent, secure access everywhere
Ready to strengthen your NYDFS compliance without adding friction? Descope helps insurers deliver secure, compliant authentication that feels effortless for every user.
Sign up for a Free Forever account to start building your first flows, or book a demo with our team to discuss how Descope can support your NYDFS compliance strategy.
