NYDFS: Penultimate set of cybersecurity requirements under amended Part 500 take effect May 1, 2025

Additional cybersecurity requirements introduced by the New York Department of Financial Services’ Cybersecurity Requirements For Financial Services Companies (23 NYCRR 500) Second Amendment took effect May 1, 2025. The Second Amendment, which was adopted in November 2023, imposed a multi-year rollout for the new requirements. The first set of requirements went into effect in November 2023, with sets of requirements taking effect on a rolling basis through November 2025. 

The Second Amendment imposes different requirements for different classes of entities. The Second Amendment created a new class of entities called “Class A Companies” that are subject to heightened requirements. To be considered a Class A Company, a business (including its affiliates) must (1) be regulated by NYDFS and (2) have either over 2,000 employees or have over $1 billion in gross annual revenue.  

The May 1, 2025 requirements, as applicable to covered entities other than those with the small business exclusions*, focus on:

1. vulnerability scanning,
2. access control requirements (including privileged access),
3. malicious code, and
4. monitoring and logging requirements (for Class A Companies). 

Section 500.5(a)(2): Vulnerability management

• Covered entities are required to, at a minimum, conduct automated scans (or manual reviews, should automated scans not be available for a given system) to discover, analyze, and report vulnerabilities.
• NYDFS does not mandate a specific frequency for these scans. Rather, covered entities are expected to determine a frequency appropriate for them based on their risk assessments conducted under § 500.9. However, NYDFS mandates that covered entities conduct these scans “promptly” after a material system change.
• As part of its guidance on this topic, NYDFS indicated that manual reviews would apply to the extent automated scans cannot scan or reach systems that need scanning (such as air-gapped or other systems that are segmented. NYDFS clarified that manual reviews, while having a greater element of human inspection, can also use any appropriate tools available to facilitate the review. 

Section 500.7: Privileged account and access requirements

• Covered entities are required to:
  • Limit access privileges to systems that provide access to non-public information to only access necessary to perform the user’s job.
  • Limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user’s job.
  • Limit the use of privileged accounts to only situations requiring the use of privileged access.
  • At least annually, review all user access privileges and remove or disable accounts and access that are no longer necessary.
  • Disable or securely configure all protocols that permit remote control of devices.
  • Promptly terminate user access following departure.
  • If passwords are used as an authentication method, implement a password policy that meets industry standards.
• Class A Companies have heightened access controls requirements. Class A Companies are required to monitor privileged access activity and:
  • Implement a privileged access management solution.
  • Implement an automated method of blocking commonly used passwords for all accounts on information systems it owns or controls (and for all other accounts, where feasible). If using an automated method is not feasible, the Class A Company’s CISO may instead state in writing at least annually (1) that it is infeasible to use automated methods and (2) approve the use of reasonably equivalent or more secure compensating controls.
• When considering access controls, covered entities should also account for recent guidance NYDFS has published regarding access, including risks of remote access schemes from North Korea (which we covered here). 

Section 500.14(a)(2): Malicious code requirements

• Covered entities are required to implement risk-based controls designed to protect against malicious code.
• This requirement did not result in extensive NYDFS guidance. In response to public comments, NYDFS stated that “the requirement is not too prescriptive as no specific methodology is required, only that controls be implemented to protect against malicious code, including email and web filtering.”

Section 500.14(b): Monitoring requirements for Class A Companies

• Class A Companies face heightened monitoring requirements. Class A Companies must, unless the CISO has approved in writing the use of reasonably equivalent or more secure controls, implement:
  • Endpoint detection and response solutions to monitor unusual activity.
  • A centralized logging and security event solution.

The final set of requirements under the Second Amendment will take effect in just under six months (on November 1, 2025). Those requirements will focus on multi-factor authentication and the implementation of asset inventory/tracking tools. The requirements that take effect during 2025 will be subject to the annual certification requirement on April 15, 2026. 

*Covered entities that qualify as small businesses have a different set of requirements that also went into effect on May 1, 2025.

Authored by Nathan Salminen, Dan Ongaro, and Emma Kotfica.