NYDFS Cybersecurity Regulation: Up-to-date compliance guidance

The stakes are high when it comes to cybersecurity in the financial sector. Financial organizations house a lot of sensitive customer data, including login credentials, personally identifiable information (PII), and banking details. The New York State Department of Financial Services (NYDFS) has therefore taken a proactive stance to safeguard sensitive information and protect consumers by implementing the Cybersecurity Regulation (23 NYCRR 500).

For those working in the financial sector, compliance with 23 NYCRR 500 is more than just a checkbox on a regulatory to-do list. It’s a strategic imperative that can mean the difference between thriving in a competitive market and facing the catastrophic consequences of a data breach.

In this post, we’ll aim to navigate the intricacies of NYDFS compliance, with a special focus on two critical areas: password policy management and multi-factor authentication (MFA). We’ll break down the specific requirements, share compelling real-life stories of non-compliance, and offer actionable insights to help you build a cybersecurity strategy that helps you meet the NYDFS standards.

What is the NYDFS Cybersecurity Regulation (23 NYCRR 500)?

The NYDFS Cybersecurity Regulation, also known as 23 NYCRR 500, is a set of cybersecurity requirements for financial institutions operating in New York State. These regulations aim to ensure that these institutions have robust cybersecurity programs to protect their systems and data from cyber threats.

We’ll go into specifics later in this article. But at the most basic level, the NYDFS requires organizations to do the following:

• Officially designate a Chief Information Security Officer (CISO) 
• Define a notification process for breaches and similar events with customer-facing impacts (within 72 hours of occurrence) 
• Create response plans for security incidents 
• Deliver documents detailing the above compliance measures to regulatory bodies 
• Additionally, it requires regular risk assessments and employee training

Who does the NYDFS regulation apply to?

The NYDFS regulation applies to a wide range of financial institutions regulated by the New York State Department of Financial Services. This includes banks, credit unions, insurance companies, and other financial service providers that operate in New York State. Specifically, it covers entities that are required to have a license, registration, charter, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Law.

What are the latest NYDFS updates in 2025?

The NYDFS cybersecurity regulation (23 NYCRR 500) was introduced in 2017. It became effective on March 1, 2017, and covered entities were required to be in compliance with most of its provisions by September 4, 2017. On November 1^st, 2023, the NYDFS introduced its second amended Cybersecurity Regulation (23 NYCRR Part 500). 

The amendments introduced several key changes, with a particular focus on enhancing password security. Specifically, Class A Companies are now required to implement an automated method to block commonly used passwords for all accounts on information systems they own or control, and wherever feasible, for all other accounts. This requirement is aimed at preventing the use of weak passwords that are vulnerable to cyber-attacks.

Looking for solution that blocks the creation of weak passwords and continuously scans your Active Directory for over 4 billion compromised passwords? Get in touch to learn about Specops Password Policy.

Compliance with these new requirements is mandated by April 29, 2024, with certain provisions having extended transition dates. For the most accurate and up-to-date information, it’s always a good idea to refer to the official NYDFS website or the latest version of the regulation.

How are Class A Companies defined?

The NYDFS Cybersecurity Regulation applies to Class A Companies. These are entities that meet the following criteria:

• They have at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations.
• They have either over 2,000 employees on average over the last two fiscal years, including affiliates, or over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates.

15 key requirements to comply with NYDFS (23 NYCRR 500)

1. Cybersecurity Program: Covered entities must develop and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the institution’s information systems and non-public information.
2. Cybersecurity Policy: A written cybersecurity policy must be established and approved by the board of directors or a senior officer, addressing specific areas such as information security, data governance, and incident response.
3. Chief Information Security Officer (CISO): Appoint a CISO to oversee and implement the cybersecurity program and enforce the cybersecurity policy.
4. Risk Assessment: Regular risk assessments must be conducted to identify and assess cybersecurity risks to the institution’s systems and data.
5. Access Privileges: Implement policies and procedures to ensure that access to information systems is limited to authorized individuals and is based on the principle of least privilege.
6. Application Security: Implement written procedures, guidelines, and standards to ensure the use of secure development practices for in-house developed applications and procedures for evaluating, assessing, or testing the security of externally developed applications.
7. Data Governance and Classification: Establish policies and procedures for data governance and classification, including the identification and classification of non-public information.
8. Audit Trail: Maintain systems that capture and retain activity logs to detect and respond to cybersecurity events.
9. Training and Monitoring: Provide regular cybersecurity awareness training for all personnel and implement monitoring processes to detect cybersecurity events.
10. Incident Response Plan: Develop and maintain an incident response plan to ensure timely response to and recovery from cybersecurity events.
11. Third-Party Service Provider Management: Implement policies and procedures to ensure the security of information systems and non-public information accessible to, or held by, third-party service providers.
12. Penetration Testing and Vulnerability Assessments: Conduct annual penetration testing and bi-annual vulnerability assessments to identify and address security vulnerabilities.
13. Multi-Factor Authentication: Implement multi-factor authentication for any individual accessing the institution’s internal networks or information systems.
14. Limitations on Data Retention: Implement policies and procedures to limit the retention of non-public information to that which is necessary for business operations.
15. Periodic Reporting: The CISO must provide a report to the board of directors or senior governing body at least annually, detailing the overall status of the cybersecurity program and material cybersecurity risks.

What are the consequences of non-compliance?

The consequences of non-compliance with the NYDFS cybersecurity regulation (23 NYCRR 500) can be significant. Financial institutions that fail to meet the regulatory requirements may face a range of penalties, including fines, regulatory enforcement actions, and reputational damage.

The NYDFS has the authority to impose civil monetary penalties, which can be substantial, and to take other corrective actions, such as requiring the institution to implement specific remedial measures.

Additionally, non-compliance can lead to increased scrutiny and oversight from the NYDFS, which may result in more frequent audits and inspections. In severe cases, the NYDFS can revoke or suspend the institution’s license to operate in New York State. These consequences underscore the importance of adhering to the cybersecurity requirements to protect both the institution and its customers.

NYDFS non-compliance example: OneMain Financial Group

In May 2023, NYDFS announced they were fining OneMain Financial Group (OneMain) $4.25 million. The fine was handed down due to a violation of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The issues cited included the impropert storage of passwords and not sufficiently managing risk from third-party data storage.

What does NYDFS say about passwords and MFA?

The regulation places significant emphasis on the importance of strong password policies and multi-factor authentication (MFA) to protect against unauthorized access to systems and data. Here are the specific requirements and guidelines related to passwords and MFA:

23 NYCRR 500.12 – Passwords

• Covered entities must implement policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.
• This includes ensuring that passwords are strong and securely managed. While the regulation does not specify exact password complexity requirements, it is generally understood that passwords should be complex, unique, and changed periodically.
• Class A Companies are now required to implement an automated method to block commonly used passwords for all accounts on information systems they own or control, and wherever feasible, for all other accounts.

23 NYCRR 500.12 – Multi-Factor Authentication (MFA)

• Covered entities must use multi-factor authentication or, where risk assessment justifies, risk-based authentication for any individual accessing the entity’s internal networks or information systems.
• MFA is required for any individual accessing the entity’s internal networks or information systems from an external network, unless the covered entity has implemented risk-based authentication that is at least as secure as MFA.
• Covered entities must conduct a periodic risk assessment of the information systems, which should include an evaluation of the effectiveness of MFA and other access controls.

How to comply with NYDFS password requirements

To mee the requirements set out in the previous section, organizations must demonstrate:

• Automated password blocking: Have an automated method to block commonly used passwords. This solution must be in place for all accounts on information systems owned or controlled by a Class A Company. If it isn’t feasible for certain accounts, a CISO must show evidence as to why.
• Compliance monitoring: The implementation and effectiveness of the password blocking solution should be monitored regularly. The CISO is responsible for ensuring the compliance and adequacy of these controls.
• Regular audits: Conduct regular audits to verify that the automated password blocking solution is functioning correctly and effectively preventing the use of weak passwords.

Meet NYDFS compliance with Specops

Strong password security and MFA protection are a crucial combination for complying with NYDFS. A strong password makes it harder for attackers to guess or crack, while MFA adds an additional verification step, significantly reducing the risk of account compromise even if the password is stolen. Together, they offer robust protection against a wide range of cyber threats. 

Specops makes it simple for organizations to comply with NYDFS, by helping you take three key actions :

1. Use Specops Password Policy to block end users from creating weak passwords by enforcing a strong, effective password policy
2. Enable our Breached Password Protection feature to continuously scan your Active Directory against our (always growing) database of 4 billion unique compromised passwords
3. Combine with Specops Secure Access to add MFA for Windows logon, as well as RDP, RADIUS, and VPN connections

Want to know how Specops Password Policy, Specops Secure Access, or both could fit in with your environment? Get in touch for a trial.