News

NYDFS: Final set of cybersecurity requirements under amended Part 500 take effect November 1, 2025

22 October 2025
Downtown, City, Skyscraper Buildings
Downtown, City, Skyscraper Buildings

On November 1, 2025, additional cybersecurity requirements introduced by the Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) (the “Second Amendment”) will take effect. The updated requirements for all covered entities consist of expanding multi-factor authentication (“MFA”) and adopting written procedures for creating and maintaining information system asset inventories. The regulation grants a limited exemption to the multi-factor authentication requirement only for certain covered entities with employees, revenue, or assets falling under defined thresholds.

The final set of cybersecurity requirements introduced by the New York Department of Financial Services’ Cybersecurity Requirements For Financial Services Companies (23 NYCRR 500) Second Amendment will take effect November 1, 2025. The Second Amendment, which was adopted in November 2023, imposed a multi-year rollout for the new requirements. The first set of requirements went into effect in November 2023, with final requirements taking effect November 1, 2025.

The November 1 requirements focus on:

  1. multi-factor authentication, and
  2. asset inventory policies.

Section 500.12: Multi-factor authentication

  • In NYDFS’ view, MFA deficiencies are the most exploited gap for cybersecurity breaches. NYDFS has been issuing guidance on MFA since 2021 and reiterated this position in its responses to comments on the most recent amendment’s adoption that NYDFS believes that robust and complete adoption of MFA is “one of the most effective and inexpensive ways to reduce [risk].” MFA is therefore a “focus” of NYDFS’ cybersecurity investigations and one of its top enforcement priorities.
  • The Second Amendment mandates that covered entities require MFA for access to any information system by any user.*
    • This requirement applies broadly and is not limited to users who are employees, contractors, or agents of covered entities. This requirement is also not limited to information systems which contain nonpublic information.
    • The regulation does not mandate adoption of a specific form of MFA. NYDFS guidance recommends token-based MFA instead of push-based or text-based MFA to avoid vulnerabilities arising from human error and SIM-swapping.
    • NYDFS has also cautioned the use of certain biometrics, including traditional fingerprint, voice, and video, due to the risk posed by AI-manipulated deepfakes.
  • A covered entity’s Chief Information Security Officer may instead approve the use of an equally secure control, which must be reviewed at least annually.
  • The alleged failure to implement effective access controls, including MFA, has been a focal point for NYDFS in five recent settlements. Accordingly, NYDFS may prioritize enforcing the expansion of MFA to all users following November 1..
  • NYDFS released a fact sheet in July regarding MFA requirements and best practices for complying with the new obligations. This may be a helpful document for organizations to consult as they consider how to update their MFA practices to align with the new requirements imposed by NYDFS.

Section 500.13(a): Asset inventory requirements

  • NYDFS requires that covered entities enact written procedures for the creation and maintenance of an asset inventory of their information systems. Entities must then maintain an asset inventory in accordance with their enacted policy.
  • The regulation provides the policies must include:
    • The frequency of updates and validation of the asset inventory; and
    • A method to track information for each asset, including the asset’s owner, location, classification, support expiration date, and recovery time objectives.
  • The NYDFS noted in its responses to comments that it believes it is important for organizations to ensure that all of the required information is available in one place, even if some information is duplicated elsewhere.
  • The maintenance of a complete asset inventory, even if duplicative, can pose benefits for organizations beyond meeting the requirements imposed by NYDFS. A complete asset inventory can also be used as a single source of truth to reconcile against other inventories and detect deviations.
  • While failure to maintain an asset inventory has not previously been an enforcement priority for NYDFS, the NYDFS brought an action in 2024 against a cryptocurrency company for alleged failure to maintain appropriate asset inventory policies, among other findings.

These requirements, as well as the requirements that took effect on May 1, 2025 (which we covered here), will be subject to the annual certification requirement on April 15, 2026 that applies for calendar year 2025.

* Entities falling within the Second Amendment's small business exception are only required to use MFA for 1) remote access to information systems; 2) remote access to third-party applications; and 3) all privileged accounts other than service accounts.


Authored by Nathan Salminen, Dan Ongaro, A.J. Santiago, and Emma Kotfica.

Contacts

bio-image

Nathan Salminen

Partner

location Washington, D.C.

bio-image

Dan Ongaro

Senior Associate

location Minneapolis, Washington, D.C.

bio-image

A.J. Santiago

Associate

location Washington, D.C.

bio-image

Emma Kotfica

Associate

location Washington, D.C.

View more

Related topics

Related countries

Load more

Related keywords

Load more

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register