On the Tenth Day of Data… Looking Back at 2025 and Ahead to NYDFS Enforcement Priorities in 2026

December 29, 2025

While 2025 may have brought questions about the level of enforcement we would see from federal regulators, there was no question that state regulators would continue to be active, especially in the financial privacy space. In 2025, we saw the New York Department of Financial Services (NYDFS) implement the final phases of amendments to its NYDFS Cybersecurity Regulation (23 NYCRR Part 500) that originally passed back in 2023 (see our earlier post on the amendments here). The final implementation phases milestones came as scheduled in May and November 2025, and just days before the final set of requirements took effect on November 1, NYDFS also issued new industry guidance on managing third-party risks. Taken together, the guidance and final amendments underscore what NYDFS will be scrutinizing in upcoming investigations and examinations: leadership oversight and documentation, complete asset inventories governed by clear policies, strict access controls and privilege management, universal multi-factor authentication coverage or well‑justified compensating controls, and credible third‑party risk management evidence.

On the Tenth Day of Data… Looking Back at 2025 and Ahead to NYDFS Enforcement Priorities in 2026

On the Second Day of Data… Trump Attempts to Preempt State AI Regulation Through Executive Order

A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework

2024 Is Set To Be Democracy and Deepfakes’ Biggest Year. Is U.S. Legislation …Ready For It?

Dashing Through 2023’s Privacy Litigation Trends

Latest Post

More Posts