The New York Department of Financial Services (“NYDFS”) implemented the final phases of amendments to its NYDFS Cybersecurity Regulation (23 NYCRR Part 500) in May and November. The amendments originally passed in 2023 (see our earlier post on the amendments here), but were rolled out in a phased approach over the course of two years. Just days before the final set of requirements took effect on November 1, 2025, NYDFS also issued new industry guidance on managing third-party risks; NYDFS followed up the final implementation date by releasing a new set of highly prescriptive Frequently Asked Questions (FAQs 18–23) dedicated to providing guidance to covered entities on implementing compliant multifactor authentication (“MFA”).
Taken together, the guidance and final amendments underscore what NYDFS will be scrutinizing in upcoming investigations and examinations: leadership oversight and documentation, complete asset inventories governed by clear policies, strict access controls and privilege management, universal MFA coverage or well‑justified compensating controls, and credible third‑party risk management evidence. There is no question that this year NYDFS will continue to be active in regulating and investigating the cybersecurity posture of Covered Entities—entities operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law.
May 2025: Penultimate Implementation Phase for 2023 Amendments
Several new requirements took effect in May 2025, including those regarding (1) vulnerability scanning, (2) access controls, and (3) monitoring and logging.
Vulnerability Scanning. Covered Entities must now conduct automated vulnerability scans (or manual reviews for any systems not otherwise covered by automated scans) and report and remediate vulnerabilities identified by such scans according to a cadence established in the Covered Entity’s risk assessment. These requirements are in addition to the annual penetration tests and risk assessment requirements that took effect in 2023 and 2024.
Access Controls. Covered Entities are now required to have specific access control protocols, including limiting access to information systems with access to nonpublic information (“NPI”) to “need to know” individuals, limiting the number of privileged accounts, limiting the use of privileged accounts for privileged functions only, regular (at least annual) review of access controls and privileges to remove or disable accounts no longer requiring privileged access, and prompt termination of access following personnel departures. Taken together, these requirements are much more prescriptive than the original Part 500 mandate to limit user access privileges to information systems that provide access to NPI and to periodically review such access privileges. Certain larger, “Class A” companies (those with either at least $20M in New York revenue and either over 2,000 employees or at least $1B in global revenue) are further required to implement a privileged access management solution, monitor privileged access activity, and implement an automated method to block commonly used passwords.
Monitoring and Logging. Covered Entities must implement risk-based controls designed to protect against malicious code, including monitoring and filtering web traffic and blocking malicious email content and implementing endpoint detection and response and centralized logging and security event alerting tools (or reasonable equivalents). These obligations are in addition to the broader annual cybersecurity awareness and social engineering training requirements that came into effect in 2024.
October 2025: Industry Letter Regarding Service Providers
On October 21, 2025, NYDFS released an industry letter directed to executives and information security personnel that provided guidance on managing risks associated with third-party service providers (“TPSPs”), such as cloud computing, artificial intelligence (“AI”), or FinTech solution providers. The letter claimed not to impose new requirements on Covered Entities but instead merely clarify existing requirements and best practices as “[t]he growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance.” The letter nonetheless provided Covered Entities with a strong reminder to closely examine their TPSP risk management programs. NYDFS warned against delegating responsibility for Part 500 compliance to TPSPs, instead stressing the expectation that senior governing bodies and senior officers sufficiently understand cybersecurity-related matters and exercise appropriate oversight. The letter then addressed each stage of the third-party risk management lifecycle, as summarized below.
Identification, Due Diligence, and Selection. During the selection process, Covered Entities should assess the cybersecurity risks posed by a potential TPSP and outline minimum cybersecurity standards for engagement. Covered Entities should also develop tailored, risk-based mitigation plans for each TPSP. Factors to consider in classifying a provider’s risk profile include: type and extent of system and information access, the provider’s industry reputation, the provider’s own cybersecurity program, access controls and audits, and security controls, criticality of the service provided and availability of alternatives, provider’s location, provider’s incident response and business continuity plans, provider’s own vendor risk management procedures, and any external audits or certifications. NYDFS emphasized that while a standardized questionnaire may be one useful tool in this due diligence process, this does not mitigate the need for qualified personnel to validate responses and determine appropriate mitigation strategies and residual risk. While NYDFS appeared to acknowledge a predicament that many Covered Entities find themselves in—that there are often limited vendor options or legacy system dependencies—it urged organizations to document the relevant risks and take steps to implement compensating controls and to continue to conduct regular assessments and monitor for viable alternative providers as they emerge.
Contracting. During the contracting process, Covered Entities should include risk-based requirements tailored to the services and data contemplated, as well as associated remedies. These provisions may cover topics regulated by Part 500 such as access controls, data encryption, cybersecurity event notification, and compliance representations. NYDFS also suggested provisions covering topics not already regulated by Part 500, such as location and transfer restrictions, disclosure of subcontractors, data use and exit obligations, and acceptable use, development, and training of AI.
Ongoing Monitoring and Oversight. Covered Entities should conduct periodic TPSP assessments, with risk-based frequency, to ensure providers’ cybersecurity programs align with the Covered Entity’s expectations. Such ongoing monitoring and assessments should be reflected in written policies informed by the evolving threat and regulatory landscape, changes to products and services, and whether the provider has experienced a cybersecurity event. In addition to the initial due diligence considerations outlined above, oversight and ongoing monitoring should also consider security attestations, penetration testing summaries, policy updates, evidence of security awareness training, compliance audits, and, where applicable, updates on vulnerability management, patching practices, and remediation of previously identified deficiencies.
Termination. When a TPSP relationship ends, Covered Entities should disable provider access to information systems, including by revoking system access for TPSP personnel, deactivating service accounts, revoking identity federation tools, and removing API integrations and external storage access. At the end of a contractual relationship, Covered Entities should require certification of destruction of NPI, secure return of data, or migration of data to another provider. NYDFS warned Covered Entities to pay close attention to access points that became redundant or unnecessary over the course of the relationship, to the extent such points were not addressed or eliminated during the course of the relationship, as is best practice. A final review should be conducted to confirm that all obligations have been fulfilled, and that access and data controls have been properly enforced, with any lessons learned incorporated into future third-party risk assessments and contracting practices. Remember that the right time to negotiate termination requirements is at initial contracting, not at termination itself.
November 2025: Final Implementation Deadline for 2023 Amendments
As the culmination of the two-year phased rollout of the November 2023 amendments, the final phase implemented more detailed requirements for (1) asset inventories and (2) MFA.
Section 500.13(a): Asset Management Requirements. Covered Entities are now required to have implemented written policies and procedures governing the creation and maintenance of an asset inventory for the entity’s information systems. At a minimum, these asset inventories should track, to the extent applicable, system ownership, location, classification/sensitivity, support expiration date, and recovery time objectives. In response to public comment, NYDFS emphasized the importance of a Covered Entity having a complete asset inventory in one place, to be achieved by including each of the above-listed items, if applicable, even if some of this same information is available elsewhere. The documented policies and procedures should also determine a required frequency for inventory updates and validation. NYDFS pointedly declined to limit the scope of the new asset inventory requirements to only those assets containing NPI, as urged by some commenters, instead requiring an inventory of all assets that are included in a Covered Entity’s risk assessment.
Section 500.12: Multi-Factor Authentication. While Part 500 previously had only required MFA when accessing a Covered Entity’s internal networks from an external network, and in previous industry guidance, NYDFS has stressed the importance of a flexible approach to regulating MFA, after the November implementation, Covered Entities (except those exempt pursuant to Section 500.19(a)’s small business exemption) are required to utilize MFA when accessing any of an entity’s information systems (including third-party cloud-based systems and external-facing systems). This requirement applies regardless of whether such access is made by a customer, employee, vendor, contractor, or some other non-customer/non-employee and regardless of the accessed system’s risk level. In short, MFA is now required “regardless of location, type of user, [or] type of information contained on the information system being accessed[.]”
The amended regulation does not necessarily mandate Covered Entities adopt a specific form of MFA, and stops just shy of requiring phishing-resistant MFA, but NYDFS has made clear that compliant MFA must include at least two of the following methods of authentication: (1) knowledge (something you know, such as a password or PIN), (2) possession (something you have, such as a hardware token or mobile device and commonly involving cryptographic proof of possession), and (3) inherence (something you are, such as a fingerprint or facial recognition). NYDFS recommends token-based MFA instead of either push-based or text-based MFA (more vulnerable to error, malicious actors, and MFA fatigue) or biometrics-based MFA (vulnerable to AI deepfakes). The MFA FAQs further elucidate NYDFS’s wariness of push-based notifications, urging Covered Entities to only use if “implemented securely,” including by enabling number matching or challenge-response verification, displaying contextual login details (e.g., location, IP, application requesting access), and limiting the number of push retries and enforcing adaptive MFA for suspicious activity. Single Sign-On (“SSO”) by itself does not meet NYDFS’s MFA requirements unless the initial SSO is MFA-protected.
NYDFS has repeatedly made statements that it views authentication deficiencies as the most exploited gap enabling cybersecurity breaches and believes adoption of MFA is “one of the most effective and inexpensive ways to reduce this risk.” These statements, the fact that NYDFS has been issuing industry guidance on MFA since 2021, and the enhanced new requirements here, coupled with a dedicated new set of FAQs, all portend that MFA is a serious area of focus for NYDFS and could underpin future investigations and enforcement actions. Covered Entities may still avail themselves of the regulation’s allowance that an entity’s Chief Information Security Officer may instead approve the use of an equally secure control (which must be reviewed at least annually). This exception may prove useful where, for example, a third-party application does not support MFA.
Impact
The requirements are not new and most entities have updated policies in response, but many Covered Entities are such large institutions with so many legacy systems that full implementation poses significant challenges. Covered Entities should be preparing for intensifying NYDFS scrutiny and lower tolerance in 2026, including cybersecurity examinations, which could foreshadow an enforcement action. Covered Entities should close remaining gaps with respect to access privilege, MFA, and inventory and reinforce third‑party diligence, contracting, and monitoring now to be examination‑ready.
A robust, comprehensive, and regularly updated cybersecurity program is best practice not only to avoid running afoul of NYDFS and other regulatory bodies, but also to protect your organization and customers as cybersecurity incidents continue to rock the financial landscape. Keeping up with Part 500’s evolving requirements proactively is far less costly than dealing with the consequences of an NYDFS enforcement action or a large-scale data breach.
