NYDFS Cybersecurity Regulation: Why Identity Is the New Compliance Battleground
Background on NYDFS Cybersecurity Regulation (23 NYCRR Part 500)
New York’s Department of Financial Services (NYDFS) has quietly reset the bar for financial sector cybersecurity. Its Cybersecurity Regulation, 23 NYCRR Part 500, was already influential when it first took effect in 2017. With the Second Amendment finalized in November 2023 and the deadline for final requirements on November 1, 2025, it is becoming one of the most demanding cyber regulations in the world, especially around identity.
Core Requirements of NYDFS Part 500
At a high level, Part 500 requires covered entities to run a risk-based cybersecurity program, appoint a CISO, implement written policies and procedures, and conduct regular risk assessments. It mandates technical controls such as access control, encryption of nonpublic information, continuous monitoring or periodic penetration testing, and an incident response plan. Covered entities must notify NYDFS within 72 hours of certain cybersecurity incidents and file annual certifications of compliance – now with personal liability exposure for CEOs and CISOs under the Second Amendment.
The 2025 Amendments: MFA and Asset Inventory
What has changed is the level of specificity and scrutiny. The final set of amended requirements that took effect on November 1, 2025, focuses on two pillars:
- Universal multi-factor authentication (MFA)
- Formal information system asset inventory policies
NYDFS has made it clear that weaknesses in MFA and basic asset hygiene are some of the most common root causes behind real world breaches, so these are now top enforcement priorities.
Universal MFA Requirements Under NYDFS
For identity and access, the signal is loud and clear. As of November 1, 2025, covered entities must use MFA for any individual accessing any information system of the covered entity, regardless of location, user type, or the sensitivity of the data. There are only narrow exemptions, and even those require compensating controls approved by the CISO and reviewed at least annually. NYDFS FAQ guidance explicitly clarifies that internal networks include cloud email and document platforms such as Office 365 and Google Workspace, not just on premises systems.
At the same time, Part 500 expects firms to maintain an accurate, up to date inventory of information systems and to manage third party access with policies and contracts that enforce equivalent controls, including MFA. When you combine these expectations with the annual certification requirement and expanded penalties – NYDFS has now levied more than $100 million in fines for cybersecurity violations, including a recent $19 million enforcement against eight auto insurers – it is obvious that “best effort” identity governance is no longer enough. Guidance from NYDFS and multiple legal analyses state that missing the November 1, 2025 deadlines will put entities out of compliance and at risk of multi‑million dollar fines, and they explicitly link these risks to the pattern of recent enforcement actions.
From Identity Chaos to Compliance Clarity
For most financial institutions, identity is where this all becomes challenging. You cannot prove universal MFA coverage, effective access control, or timely revocation of access if you do not have a complete, accurate picture of every human and non-human identity, their entitlements, and their relationship to business services. Mergers and acquisitions, hybrid cloud migrations, and third-party platforms create a tangle of overlapping directories, local accounts, and “shadow” identities that are invisible to traditional tools but fully within NYDFS’s scope.
Meeting NYDFS expectations requires moving from point-in-time control checks to identity observability and continuous identity security posture management. In practice, that looks like three phases.
- Organizations need a single, authoritative view of identities across Active Directory, cloud identity providers, HR systems, core banking and trading platforms, SaaS applications, and service accounts. This unified identity data fabric should normalize identities, correlate duplicates, and map non-human and machine identities back to accountable owners. Without this foundation, MFA rollout, privileged access management, and third-party access reviews remain in spreadsheet exercises.
- Once the data is unified, firms can continuously observe their posture against NYDFS requirements. That means answering questions such as: Which accounts are still not covered by MFA. Where privileged accounts bypass centralized controls. Which third parties have persistent access to nonpublic information. Where are entitlements out of alignment with policy or business needs? This kind of observability allows CISOs and boards to see identity risk in the same way they see market or credit risk, rather than relying on static point-in-time audit snapshots.
- Finally, the program must be able to act on those insights. That includes orchestrating remediation through IAM and IGA systems, ticketing workflows, and security tools to close orphaned accounts, enforce MFA everywhere it is required, tighten over broad permissions, and standardize controls across subsidiaries and affiliates. It also means generating evidence for auditors and regulators automatically, instead of mobilizing ad hoc teams every time a certification or examination is due.
NYDFS is also turning its attention to artificial intelligence and AI enabled attacks, issuing guidance on AI related cybersecurity risks and recommending controls that include stronger access controls, risk assessments, and data management practices. Once again, identity and unified identity data sit at the center, since AI systems both depend on sensitive datasets and introduce a new class of non-human identities and privileged service accounts.
Transforming Mandates into Measurable Security Gains
For covered entities, the path forward is clear. Treat NYDFS not as a checklist, but as a catalyst to modernize identity that includes enforcement of least privilege, limiting and controlling privileged accounts, and performing regular access reviews and timely offboarding. MFA must be implemented across all remote access, all privileged accounts, and effectively all system access where nonpublic information is involved. And you must maintain centralized, auditable identity data so you can prove who has access to what, with what protections, and why. By unifying identity data, observing identity risk in real time, and acting quickly on what you see, financial institutions can turn a challenging regulation into an opportunity to build a more resilient, measurable, and trustworthy security posture.
