The New York State Department of Financial Services (NYDFS), a leader in regulating financial and insurance institutions, has established rigorous cybersecurity standards to protect against evolving threats. The 2017 Cybersecurity Regulation (23 NYCRR Part 500) marked a significant milestone in strengthening the cyber defenses of regulated entities. As we approach 2025, the NYDFS has introduced amendments with critical implementation deadlines to ensure comprehensive protection for financial institutions.  This article outlines the key amendments, compliance deadlines, and strategies to help financial institutions meet the upcoming requirements.

Key Updates to NYDFS Cybersecurity Regulation

1. Enhanced Governance and Oversight
   Senior governing bodies must play a more active role in cybersecurity. Organizations are now required to conduct comprehensive risk assessments annually or whenever material changes occur, ensuring updated policies on data retention, end-of-life management, and other critical areas.
2. Introduction of Class A Companies
   Entities with over 2,000 employees or $1 billion in gross annual revenue are now classified as Class A companies. These entities face stricter requirements, such as independent audits of their cybersecurity programs.
3. Stricter Technical Requirements
   Financial institutions must implement multi-factor authentication (MFA) for all system access, enhance privileged account access controls, and adopt new asset inventory protocols. These technical measures are designed to address vulnerabilities and strengthen overall resilience.
4. Focus on Artificial Intelligence (AI) Risks
   The NYDFS has issued guidance on addressing AI-related cybersecurity risks, such as deepfakes and AI-driven social engineering attacks. Institutions must incorporate these risks into their regular risk assessments and cybersecurity policies.

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) mandates that covered entities implement robust cybersecurity measures. However, certain entities may qualify for limited exemptions under Section 500.19(a) if they meet specific criteria:

1. Employee and Contractor Threshold: Fewer than 20 employees and independent contractors across the covered entity and its affiliates.
2. Revenue Threshold: Less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and its affiliates’ operations in New York State.
3. Asset Threshold: Less than $15 million in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.

Entities meeting any of these criteria are exempt from certain provisions of the regulation, specifically Sections 500.4, 500.5, 500.6, 500.8, 500.10, 500.14(a)(1), (a)(2), (b), 500.15, and 500.16. See Casetext.  Despite these exemptions, such entities must still comply with other critical sections, including:

• Section 500.2: Establishing a cybersecurity program.
• Section 500.3: Implementing a cybersecurity policy.
• Section 500.7: Managing access privileges.
• Section 500.9: Conducting risk assessments.
• Section 500.11: Managing third-party service provider security.
• Section 500.12: Implementing multi-factor authentication.
• Section 500.13: Encrypting nonpublic information.
• Section 500.17: Reporting cybersecurity events.

Entities that qualify for a limited exemption must file a Notice of Exemption with the NYDFS within 30 days of determining their exempt status. 

It’s also important to note that the NYDFS amended the Cybersecurity Regulation effective November 1, 2023, which included updates to exemption criteria (see Department of Financial Services).

Upcoming Deadlines (2025)

• • • May 1, 2025:
    • Strengthen user access privilege controls, including:
      • Removing or disabling unnecessary accounts.
      • Configuring remote access protocols securely.
      • Promptly terminating access after personnel departures.
    • Develop and enforce a comprehensive password policy.
  • November 1, 2025:
    • Fully implement enhanced MFA requirements.
    • Adopt new asset inventory protocols.
  • April 15th of each year:
    • Forms must be submitted online
  • April 25th of each year:
    • Cyber security policies must be updated (if needed), reviewed,  and approved
    • Risk Assessment must be updated

For more details, refer to the official Cybersecurity Implementation Timeline for Small Businesses.

Who Needs to Comply?

NYDFS cybersecurity regulations apply to all entities licensed, chartered, or regulated by the department, including:

• Banks: State-chartered banks and foreign banks licensed in New York.
• Insurance Companies: Life, health, and property insurers.
• Mortgage Lenders: Mortgage bankers, brokers, and servicers.
• Consumer Lenders: Providers of payday loans, personal loans, and installment loans.
• Financial Services Companies: Money transmitters, virtual currency companies, and fintech firms.
• Investment Firms: Broker-dealers and securities firms.
• Health Insurers: HMOs and other health insurance providers.

Strategies for Compliance

To meet the 2025 requirements, financial institutions should prioritize the following:

1. Comprehensive Risk Assessments
   • Conduct annual risk assessments, factoring in AI-related risks and operational changes.
2. Enhanced Governance Structures
   • Involve senior leadership in approving policies, monitoring compliance, and overseeing cybersecurity programs.
3. Technical Controls Implementation
   • Ensure MFA is fully implemented by November 2025.
   • Strengthen access controls, encryption, and network monitoring systems.
4. Incident Response Preparedness
   • Develop, test, and regularly update incident response and continuity plans.
5. Employee Training
   • Conduct regular cybersecurity awareness training, emphasizing risks like social engineering and AI-driven threats.

Exemptions and Special Provisions

Some entities may qualify for exemptions under Sections 500.19(a), (c), and (d). For example:

• Entities with fewer than 10 employees or less than $5 million in revenue may qualify for limited exemptions.
• Entities exempt under 500.19(c) (those not maintaining nonpublic information) and 500.19(d) (captive insurers) are not required to implement certain measures, such as MFA and risk assessments.

Partnering with Systech MSP for Compliance

Navigating the complexities of NYDFS cybersecurity regulations can be challenging, especially for small businesses and exempt entities. Systech MSP offers tailored IT solutions and expert guidance to help financial institutions comply with regulatory requirements while enhancing their overall cybersecurity resilience.

Contact us today to schedule a free consultation and ensure your organization is prepared to meet the NYDFS deadlines for 2025. Together, we can build a more secure future for your business.