Final NYDFS Cybersecurity Rules Take Effect: What Financial Services Companies Must Do Now

As of November 1, 2025, two critical updates to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (the Cybersecurity Regulation or "Part 500") took effect for Financial Services Companies.¹

Covered Entities must now finalize implementation of two critical security components: (1) mandatory Multi-Factor Authentication (MFA) for nearly all Covered Entities in nearly all cases; and (2) development of a comprehensive, documented Asset Inventory Program.

Background of the Cybersecurity Regulation

The NYDFS Cybersecurity Regulation establishes a robust, principles-based framework designed to manage cyber risk in the state's financial sector.

The Cybersecurity Regulation governs "Covered Entities," defined as persons operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York's Banking Law, Insurance Law or Financial Services Law.²The Regulation's core requirements include annual risk assessments,³ written cybersecurity policies and procedures,⁴ data governance and CISO reporting requirements,⁵access privilege and management controls,⁶MFA,⁷ asset inventory and management,⁸incident response and business continuity requirements,⁹and an annual certification of compliance.¹⁰

In November 2023, NYDFS's Second Amendment to Part 500 became effective, introducing enhanced obligations with new deadlines and thresholds. Key changes, for example, the 24-hour notification and explanation requirement for cyber extortion payments,¹¹ were driven by lessons learned through enforcement and evolving global threats. The final requirements of this amendment took effect on November 1, 2025, and focus on strengthening foundational cyber practices for nearly all Covered Entities.

Supervisory Context Under New DFS Leadership

The implementation of these amendments comes amid a leadership change at NYDFS. Following the departure of Superintendent Adrienne Harris, Kaitlin Asrow has been appointed as Acting Superintendent.

Under Acting Superintendent Asrow, NYDFS recently issued guidance reiterating that Covered Entities remain ultimately accountable for managing the cybersecurity risks posed by third-party vendors and cannot delegate this compliance responsibility.  This continuity in focus—holding Covered Entities accountable for supply chain security—is directly relevant to both the MFA and Asset Inventory requirements discussed below, particularly as they relate to third-party applications and cloud-based assets. NYDFS’s statement that regulated entities "are still ultimately accountable for protecting consumers and managing risk" underscores the need for thorough, contractual compliance with vendors and other third-party providers.¹²

The stakes are high. Earlier this year, NYDFS entered into a consent order for alleged violations of Part 500, resulting in a $2 million civil penalty.¹³

Key Takeaways 

Effective November 1, 2025, two major new requirements are mandatory for most Covered Entities:¹⁴

1. Multi-Factor Authentication (MFA)

The prior version of the Cybersecurity Regulation only mandated MFA for access to internal networks from outside the network; the amended rule significantly broadens this requirement. Covered Entities are now required to implement MFA for all individuals remotely accessing information systems from which data is accessed or to which data is provided, including remote access to third-party applications..

The net result is that MFA is required for virtually all remote access. Covered entities must ensure that their MFA program extends beyond just internal VPNs and includes:

• Cloud Applications: For example, access to services like Microsoft 365, Google Workspace, or other Software-as-a-Service (SaaS) providers; and
• Third-Party Vendors: Any third-party system or application used by the Covered Entity’s personnel (or third-party personnel) that provides access to the Covered Entity’s information or systems.

Many Covered Entities will already have these controls in place. Still, professionals in both compliance and security should work together to ensure that the scope of the Part 500 mandate aligns with their organization’s security posture.

The MFA requirement also reinforces that the Covered Entity is responsible for ensuring the security of its data, even when that data is being accessed via a third-party application. As noted above, the NYDFS has emphasized that Covered Entities cannot delegate responsibility for compliance to Third-Party Service Providers (TSPs).16 While a Covered Entity can rely on a TSP’s native MFA software (e.g., in a SaaS platform), the Covered Entity retains the ultimate responsibility to ensure that the TSP’s MFA implementation meets the requirements of the Cybersecurity Regulation.

2. Comprehensive Asset Inventory Program

Covered Entities also must formalize their asset inventory into a documented and regularly maintained program,¹⁷through written policies and procedures that provide for the creation and maintenance of a complete, accurate, and documented inventory of all information systems.¹⁸

These policies must describe how assets are tracked—including ownership, classification or sensitivity, location, the date the application will no longer be supported, and recovery time objectives—as well as the frequency at which the inventory will be updated and validated. The Cybersecurity Regulation also calls for secure disposal of non-public information that is no longer necessary for business operations.¹⁹

Simply having a list of assets is no longer sufficient. The compliance mandate shifted from a static list to a dynamic, documented program that formalizes the procedural steps for program creation and maintenance, details the responsible owner(s) for each asset’s information, the triggers for updates (e.g., procurement or decommissioning), and the mechanism for validating the inventory’s accuracy. This includes hardware, software, cloud services, and network infrastructure, all tied to the sensitivity of the Non-Public Information (NPI) processed or stored.

Our Take and Next Steps for Covered Entities

Steptoe recommends Covered Entities take or consider the following actions in light of the new requirements:

• Scope and Implement MFA Broadly:
  • Identify every application and system that stores, transmits, or processes NPI, regardless of whether it is hosted internally or by a third-party vendor (e.g., Salesforce, document management systems).
  • Ensure MFA is mandatory for all access methods to these systems, prioritizing phishing-resistant MFA methods where feasible.20 For example, consider hardware security keys or FIDO2-compliant push notification authentication.
  • Review current third-party contracts to ensure the language requires third parties to support the Covered Entity’s MFA implementation.
• Formalize the Asset Inventory Program:
  • Design and update written policies and procedures for your Asset Inventory Program.
  • Confirm that the inventory tracking mechanism captures all required data points, including asset owner, data classification, network location, and maintenance/patch status.
  • Establish a periodic risk-based schedule (e.g., quarterly, semi-annually) for validating the inventory and assign clear ownership roles for maintenance.
• Validate Risk Assessment Alignment:
  • Ensure your comprehensive Risk Assessment addresses all newly identified assets and access points.
• Prepare for 2026 Certification:
  • Compliance with these requirements must be included in the Annual Certification of Compliance due on April 15, 2026.

As the final NYDFS Cybersecurity Regulation requirements are now in effect, Covered Entities should act swiftly to validate their compliance posture. Steptoe’s cross-disciplinary team of cybersecurity, financial services, and regulatory attorneys is available to assist with implementation, risk assessments, and certification readiness. Please contact us to discuss how we can support your organization’s compliance strategy under Part 500.

¹ 23 NYCRR Part 500 et seq.

² § 500.1(e).

³ § 500.9.

⁴ § 500.3.

⁵ § 500.4.

⁶ § 500.7.

⁷ § 500.12.

⁸ § 500.13.

⁹ § 500.16.

¹⁰ § 500.17.

¹¹ § 500.17(c).

¹² See Guidance on Managing Risks Associated with Third-Party Relationships, N.Y. Dep't of Fin. Servs. (Oct. 21, 2025), https://www.dfs.ny.gov/industry-guidance/industry-letters/il20251021-guidance-managing-risks-third-party.

¹³ See Consent Order, In re Healthplex, Inc., N.Y. Dep’t of Fin. Servs. (Aug. 14, 2025), https://www.dfs.ny.gov/system/files/documents/2025/08/Healthplex-Consent-Order_FINAL.pdf.

¹⁴ Under § 500.19(a), small businesses and their affiliates with fewer than twenty employees and independent contractors, less than $7.5 million in gross annual revenue in each of the last two fiscal years from its New York business operations, or less than $15 million in year-end total assets are exempt from certain requirements of Part 500, and subject to a narrower MFA requirement.

¹⁵ § 500.12.

¹⁶ New York State Department of Financial Services, Industry Letter: Guidance on Managing Risks Associated with Third-Party Relationships (Oct. 21, 2025), https://www.dfs.ny.gov/industry-guidance/industry-letters/il20251021-guidance-managing-risks-third-party.

¹⁷ § 500.13(a)

¹⁸ Id.

¹⁹ § 500.13(b).

²⁰ In its Assessment of Public Comments on the Proposed Second Amendment to 23 NYCRR 500, the NYDFS encouraged Covered Entities to adopt phishing-resistant MFA where appropriate but stopped short of mandating particular MFA forms. See Assessment of Public Comments, at 56, https://www.dfs.ny.gov/system/files/documents/2025/07/2023-06-28-apc-first-apc-for-reg.pdf.