While 2025 may have brought questions about the level of enforcement we would see from federal regulators, there was no question that state regulators would continue to be active, especially in the financial privacy space. In 2025, we saw the New York Department of Financial Services (NYDFS) implement the final phases of amendments to its NYDFS Cybersecurity Regulation (23 NYCRR Part 500) that originally passed back in 2023 (see our earlier post on the amendments here). The final implementation phases milestones came as scheduled in May and November 2025, and just days before the final set of requirements took effect on November 1, NYDFS also issued new industry guidance on managing third-party risks. Taken together, the guidance and final amendments underscore what NYDFS will be scrutinizing in upcoming investigations and examinations: leadership oversight and documentation, complete asset inventories governed by clear policies, strict access controls and privilege management, universal multi-factor authentication coverage or well‑justified compensating controls, and credible third‑party risk management evidence.
May 2025: Penultimate Implementation Phase for 2023 Amendments
In May 2025, several new requirements originally adopted in November 2023 took effect, including those regarding (1) vulnerability scanning, (2) access controls, and (3) monitoring and logging.
Vulnerability Scanning. Covered Entities—entities operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law—must now conduct automated vulnerability scans (or manual reviews for any systems not otherwise covered by automated scans) and report and remediate vulnerabilities identified by such scans according to a cadence established in the Covered Entity’s risk assessment. These requirements are in addition to the annual penetration tests and risk assessment requirements that took effect in 2023 and 2024.
Access Controls. Indicating a particular emphasis on the importance of access controls in securing Covered Entities’ information systems, Covered Entities are now required to have specific access control protocols, including: limiting access to information systems with access to nonpublic information (NPI) to “need to know” individuals, limiting the number of privileged accounts, limiting the use of privileged accounts for privileged functions only, regular (at least annual) review of access controls and privileges to remove or disable accounts no longer requiring privileged access, and prompt termination of access following personnel departures. Taken together, these requirements are much more prescriptive than the original Part 500 mandate to limit user access privileges to information systems that provide access to NPI and to periodically review such access privileges. Certain larger, “Class A” companies (those with either at least $20M in New York revenue and either over 2,000 employees or at least $1B in global revenue) are further required to implement a privileged access management solution, monitor privileged access activity, and implement an automated method to block commonly used passwords
Monitoring and Logging. Covered Entities must, since May, implement risk-based controls designed to protect against malicious code, including monitoring and filtering web traffic and blocking malicious email content and implement endpoint detection and response and centralized logging and security event alerting tools (or reasonable equivalents). These obligations are in addition to the broader annual cybersecurity awareness training requirement (including social engineering) that came into effect in 2024.
October 2025: Industry Letter Regarding Service Providers
On October 21, 2025, the released an industry letter that was directed to executives and information security personnel at regulated entities and which provided guidance on managing risks associated with third-party service providers (TPSPs), such as cloud computing, artificial intelligence (AI), or FinTech solution providers.
The letter claimed not to impose new requirements on Covered Entities under 23 NYCRR Part 500. Instead it was intended merely to clarify existing requirements and best practices as “[t]he growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance.” The letter nonetheless provided covered entities with a strong reminder to closely examine their TSPS risk management programs. Similar to the SEC’s recent emphasis on vendor diligence and oversight, in the letter, NYDFS identified the need for more robust due diligence, contractual provisions, monitoring and oversight, and third-party risk management policies and procedures and warned against delegating responsibility for Part 500 compliance to TSPSs, instead stressing the expectation that senior governing bodies and senior officers sufficiently understand cybersecurity-related matters and exercise appropriate oversight. NYDFS then addressed each stage of the third-party risk management lifecycle, as summarized below.
Identification, Due Diligence, and Selection. During the selection process, Covered Entities should assess the cybersecurity risks posed by a potential TSPS and outline minimum cybersecurity standards for engagement of that TSPS. Covered Entities should also develop tailored, risk-based mitigation plans for each TSPS. Factors to consider in classifying a provider’s risk profile during this due diligence phase include: type and extent of system and information access, the provider’s industry reputation, provider’s own cybersecurity program, access controls and audits, and security controls, criticality of the service provided and availability of alternatives, provider’s location, provider’s incident response and business continuity plans, provider’s own vendor risk management procedures, and any external audits or certifications. NYDFS emphasized that while a standardized questionnaire may be one useful tool in this due diligence process, this does not mitigate the need for qualified personnel to validate responses and determine appropriate mitigation strategies and residual risk. While NYDFS appeared to acknowledge a predicament that many Covered Entities find themselves in—that there are often limited vendor options or legacy system dependencies—it urged organizations to document the relevant risks and take steps to implement compensating controls and to continue to conduct regular assessments and monitor for viable alternative providers as they emerge.
Contracting. During the contracting process, Covered Entities should include risk-based requirements tailored to the services and data contemplated, as well as associated remedies. These provisions may cover topics regulated by Part 500 such as: access controls, data encryption, cybersecurity event notification, and compliance representations. NYDFS also suggested provisions covering topics not already regulated by Part 500, such as: location and transfer restrictions, disclosure of subcontractors, data use and exit obligations, and, where relevant, acceptable use, development, and training of artificial intelligence.
Ongoing Monitoring and Oversight. Covered Entities should onduct periodic TSPS assessments, with risk-based frequency, to ensure providers’ cybersecurity programs align with the Covered Entity’s expectations. Such ongoing monitoring and assessments should be reflected in written policies informed by the evolving threat and regulatory landscape, changes to products and services, and whether the provider has experienced a cybersecurity event. In addition to the initial due diligence considerations outlined above, oversight and ongoing monitoring should also consider security attestations, penetration testing summaries, policy updates, evidence of security awareness training, compliance audits, and, where applicable, updates on vulnerability management, patching practices, and remediation of previously identified deficiencies.
Termination. When a TSPS relationship ends, Covered Entities should disable provider access to information systems, including by revoking system access for TSPS personnel, deactivating service accounts, revoking identity federation tools, and removing API integrations and external storage access. At the end of a contractual relationship, Covered Entities should require certification of destruction of NPI (including snapshots, backups, or cached datasets), secure return of data, or migration of data to another provider. NYDFS warns Covered Entities to pay close attention to access points that became redundant or unnecessary over the course of the relationship, to the extent such points were not addressed or eliminated during the course of the relationship, as is best practice. A final review should be conducted to confirm that all obligations have been fulfilled, and that access and data controls have been properly enforced, with any lessons learned incorporated into future third-party risk assessments and contracting practices. Remember that the right time to negotiate termination requirements is at initial contracting, not at termination itself.
November 2025: Final Implementation Deadline for 2023 Amendments
As the culmination of a two-year phased rollout of the amendments adopted in November 2023, the final phase implemented more prescriptive requirements for (1) asset inventories and (2) multi-factor authentication (MFA).
Section 500.13(a): Asset Management Requirements. Starting November 1, 2025, Covered Entities were required to have implemented written policies and procedures governing the creation and maintenance of an asset inventory for the entity’s information systems. At a minimum, these asset inventories should track, to the extent applicable, system ownership, location, classification/sensitivity, support expiration date, and recovery time objectives. In response to public comment, NYDFS emphasized the importance of a Covered Entity having a complete asset inventory in one place, to be achieved by including each of the above-listed items, if applicable, even if some of this same information is available elsewhere. The documented policies and procedures should also determine a required frequency for inventory updates and validation. NYDFS pointedly declined to limit the scope of the new asset inventory requirements to only those assets containing NPI, as urged by some commenters, instead requiring an inventory of all assets that are included in a Covered Entity’s risk assessment.
Section 500.12: Multi-Factor Authentication. While Part 500 previously has only required MFA when accessing a Covered Entity’s internal networks from an external network, and in previous industry guidance NYDFS has stressed the importance of a flexible approach to regulating MFA, after the November implementation, Covered Entities (with the limited exception of those exempt pursuant to Section 500.19(a)’s small business exemption) are required to utilize MFA when accessing any of an entity’s information systems. This requirement applies regardless of whether such access is made by a customer, employee, vendor, contractor, or some other non-customer/non-employee and regardless of the accessed system’s risk level. In short, MFA is now required “regardless of location, type of user, [or] type of information contained on the information system being accessed[.]”
NYDFS previously and repeatedly made statements that it views authentication deficiencies as the most exploited gap enabling cybersecurity breaches and believes adoption of MFA is “one of the most effective and inexpensive ways to reduce this risk.” These statements, the fact that NYDFS has been issuing industry guidance on MFA since 2021, and the enhanced new requirements here, all portend that MFA is a serious area of focus for NYDFS and could underpin future investigations and enforcement actions. The amended regulation still does not mandate Covered Entities adopt a specific form of MFA, though NYDFS does recommend token-based MFA instead of either push-based or text-based MFA (more vulnerable to error or malicious actors) or biometrics-based MFA (vulnerable to AI deepfakes). In response to commenters urging the regulation to strictly require phishing-resistant MFA, NYDFS acknowledged that such a requirement could prove overly costly and burdensome for many Covered Entities and therefore declined to impose such a stringent requirement. Further, Covered Entities may avail themselves of the regulation’s allowance that an entity’s Chief Information Security Officer may instead approve the use of an equally secure control (which must be reviewed at least annually). This exception may prove useful where, for example, a third-party application does not support MFA.
Whether the industry letter was intended to coincide with the final phase of Part 500 amendment implementation or not, one thing is for certain: Covered Entities should be preparing for intensifying NYDFS scrutiny in 2026, including cybersecurity examinations, which could foreshadow an enforcement action. Covered Entities should close remaining access privilege, MFA, and inventory gaps and reinforce third‑party diligence, contracting, and monitoring now to be examination‑ready. Moreover, a robust, comprehensive, and regularly updated cybersecurity program is best practice not just to avoid running afoul of NYDFS and other regulatory bodies, but to protect your organization and customers as cybersecurity incidents continue to rock the financial landscape and industries beyond.