NYDFS Final Cybersecurity Rules – MFA, Asset Inventory, and Third-Party Risk

In November 2023, DFS adopted an overhaul of its cybersecurity regulations to respond to how “the cybersecurity landscape has changed tremendously as threat actors have become more sophisticated and more prevalent, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate, and additional cybersecurity controls are available to manage cyber risk at reasonable cost.” However, DFS announced phased compliance deadlines, allowing regulated entities a transitional period to meet these more stringent requirements.

By Nov. 1, 2025, regulated entities must comply with the final two provisions of these amendments to take effect, related to multifactor authentication (MFA) and policies and procedures for maintaining an asset inventory. Covered entities will first have to certify their compliance with these provisions in the annual reports due April 15, 2026.

DFS also issued guidance on how to manage the cybersecurity risks of using third party service providers, further illustrating requirements of Part 500 that are already in effect. The guidance suggests contractually requiring these vendors to adopt MFA to the same level that Part 500 requires.

Who Is Subject to Part 500

Generally, any entity who is required to be licensed by DFS must comply with Part 500.1

An entity is fully exempt if it is subject to and complies with the cybersecurity program of another DFS-regulated business.2 An entity is also fully exempt if it is an insurance broker who, among other things, has no nonpublic personal information and has not been active for at least one year.3

An entity is partially exempt from Part 500 if it qualifies under any of the following grounds:

• it and its affiliates have fewer than 20 employees and independent contractors;4
• its worldwide operations plus the New York operations of its affiliates resulted in gross annual revenue of less than $7.5 million in each of the last three fiscal years;5
• the entity and its affiliates have less than $15 million in total assets at year-end;6 or
• the entity does not directly or indirectly operate, maintain, utilize, or control any information system and is not required to directly or indirectly control, own, access, generate, receive, or possess nonpublic personal information.7

An entity that previously enjoyed an exemption from Part 500 should carefully check the current exemptions, because several have meaningfully narrowed as a result of the 2023 amendments.

The Newest Requirements

The final two provisions (1) require multifactor authentication with very limited exceptions, and (2) call for the entity to develop policies and procedures that allow it to maintain an inventory of the assets it needs to protect.

Multifactor Authentication

DFS believes that MFA is an essential aspect of a sufficient cybersecurity program. In adopting the regulations, DFS stated that “All access should be secured, not just access by personnel. Access by vendors, contractors, and other external parties to the covered entities’ systems also pose a security risk.”8

The prior version of the regulations left the decision of whether to adopt MFA or some other “risk-based authentication” to the covered entity’s risk assessment. DFS amended this provision, generally requiring that MFA “shall be utilized for any individual accessing any information systems of a covered entity.”9 If the covered entity qualifies for a partial exemption and that exemption is based on (1) the number of employees, (2) gross annual revenue, or (3) total assets, the entity can limit its application of MFA to: 

• remote access to the covered entity’s information systems, which includes all external-internal access and all internal-external access, such as cloud-based systems;
• remote access to third-party applications; and
• all privileged accounts other than service accounts that prohibit interactive login.10

However, if the covered entity has a CISO, the CISO may approve in writing the use of “reasonably equivalent or more secure controls” in place of MFA.11 DFS recognizes that covered entities who do not have a CISO will therefore not be permitted to adopt alternative compensating controls, but reasons that “entities with relatively common information systems should be able to enable MFA for all instances” while “those with more complicated information systems would benefit from having a CISO.”12

Nonetheless, aware that adopting MFA may require significant cost, DFS delayed the compliance date for this new provision a full two years.13 This requirement just took effect Nov. 1, 2025.

Asset Inventory

DFS believes that “maintaining an asset inventory is a critical part of identifying [the] assets that need to be protected.”14 DFS stresses that covered entities must keep their inventory up to date, and that “all assets that are included in the risk assessment must be inventoried, not just those that are material or that contain nonpublic information.”15

The new provision directs covered entities to establish written policies and procedures as part of their cybersecurity program that are “designed to produce and maintain a complete, accurate, and documented inventory of the covered entity’s information systems.”16 The inventory must specify for each asset:

• its owner,
• its location,
• its classification or sensitivity,
• its support expiration date, and
• its recovery time objectives.

The asset management policy must also set the frequency with which the inventory must be updated and validated.17

Third-Party Risk Guidance

Since its initial adoption, Part 500 has required covered entities to develop and “implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.”18

On Oct. 21, 2025, DFS issued additional guidance through a non-binding industry letter.19 The letter observes that reliance on “third party service providers” (TPSPs) continues to increase, particularly as FinTech solutions and the use cases for artificial intelligence expand. DFS believes that “the growing scale and complexity of cyber risks posed by TPSPs demands a proactive, risk-based, and continuously adaptive approach to third-party governance.”20

From its experience during exams, “DFS has identified the need for more robust due diligence, contractual provisions, monitoring and oversight, and TPSP risk management policies and procedures.”21 Following the lead of the federal banking agencies, the industry letter traces the “cybersecurity risks throughout the lifecycle of a TPSP relationship, beginning with the due diligence and selection processes, continuing through contracting, ongoing oversight and management of the relationship, and ending with the termination of the TPSP relationship.”22

DFS included recommendations for the “baseline contract provisions covered entities should consider incorporating into their agreements with TPSPs.”23 Among other topics, these provisions call for covered entities to require TPSPs to:

• Implement access controls, including MFA as if the vendor was itself subject to Part 500;
• Establish regular testing of the TPSP’s integration with the covered entity’s system, consistent with the covered entity's written information security program and the risks the TPSP poses;
• Identify and potentially restrict where data is stored, especially any cross-border storage or transmission;
• Require certification of destruction of nonpublic information or of migration to another provider at the end of the relationship, including the destruction of remaining backup tapes and revocation of prior credentials, and audit these offboarding plans after any such termination;
• Describe and limit the acceptable use of AI and to what extent the covered entity’s data will be made available to AI models; and
• Require TPSPs to encrypt nonpublic information in transit and at rest even if the covered entity is exempt from Part 500’s encryption provisions.



Provisions That Previously Came into Effect

DFS paced the compliance dates for the provisions of the amended regulations to reflect its estimation of how long it would reasonably take regulated entities to adjust their cybersecurity programs to meet the new standards. As a recap, the following amended provisions took effect on the following dates:

• 1, 2023:

– 500.17: report to DFS cybersecurity events, including those involving ransomware;

• April 29, 2024:

– 500.5: conduct penetration testing at least annually, and implement an ongoing monitoring process;

– 500.9: update risk assessments at least annually;

– 500.3: update cybersecurity policies at least annually, with review and approval by the board or senior officers;

– 500.14: conduct cybersecurity awareness training at least annually that includes social engineering as a topic;

• 1, 2024:

– 500.4: additional reporting and oversight between and among the CISO and the board or senior officers;

– 500.15: encryption or effective compensating controls;

– 500.16: implement and regularly test incident response and business continuity plans;

• May 1, 2025:

– 500.5: use automated scans to detect vulnerabilities at a frequency justified by the risk assessment, but promptly after any material system change;

– 500.7: deploy user access privilege limitations and protocol configurations to partition and limit access especially to sensitive data;

– 500.14: implement controls to protect against malicious code.

Key Takeaways

With these final provisions, the amendments to modernize DFS’s cybersecurity regulation come fully into effect. Covered entities that DFS regulates should prepare to demonstrate their compliance with all of the regulation’s provisions or how they satisfy an exemption.

If a covered entity has a CISO and wishes to establish exceptions to the MFA requirement, they should consider working with the CISO to obtain written approval for authorized alternative measures.

---

1 23 NYCRR § 500.1(e).

2 Id. § 500.19(b).

3 Id. § 500.19(e).

4 Id. § 500.19(a).

5 Id.

6 Id.

7 Id. § 500.19(c).

8 DFS, Assessment of Public Comments, at 61 (June 28, 2023) (Assessment).

9 23 NYCRR § 500.12(a).

10 Id.; Assessment at 60.

11 23 NYCRR § 500.12(b).

12 Assessment at 59.

13 Id. at 87; 23 NYCRR § 500.22(d)(4). Likewise, DFS allowed a full year to implement the earlier risk-assessment based MFA provisions of the original version of Part 500. See 23 NYCRR § 500.22(b)(1).

14 Assessment at 62.

15 Id. at 62.

16 23 NYCRR § 500.13(a).

17 Id.

18 Id. § 500.11(a).

19 DFS, Industry Letter, Guidance on Managing Risks Related to Third-Party Service Providers (Oct. 21, 2025).

20 Id. at 1.

21 Id. at 2.

22 Id.

23 Id. at 5–6.