Cybersecurity Regulation Updates and Reminders

September 2025

Attention all NYAMB Members!

In an effort to keep you informed of recent regulatory updates that may impact you, we are forwarding the following information provided to us from the New York State Department of Financial Services.....

Subject: Cybersecurity Regulation Updates and Reminders September 2025

In 2023, DFS amended its landmark Cybersecurity Regulation (Part 500) with requirements rolling out through November 2025. To assist entities of all sizes, DFS provides regular updates with deadlines, resources, and practical insights.

In this month’s edition:

Final Part 500 Requirements Take Effect November 1
New MFA Requirements Resource
Cybersecurity Insights: Help Desk Social Engineering
DFS is Hiring: New Opportunities in Cybersecurity
ICYMI: Annual Compliance Submissions Were Due in April

Final Part 500 Requirements Take Effect November 1

On November 1, 2025, the next phase and final requirements of the amended Cybersecurity Regulation take effect. As of November 1, Covered Entities must comply with:

Enhanced MFA Requirements (Section 5 00.12): Covered Entities from the Small Business, Standard, and Class A categories must comply with enhanced MFA requirements. With limited exceptions,
Covered entities qualifying for a limited exemption pursuant to Section 500.19(a) – Small Businesses – must use MFA for remote access to their information systems, remote access to third-party applications, and all privileged accounts other than service accounts that prohibit interactive login, and
All other covered entities must utilize MFA for any individual accessing any information system of a Covered Entity.
Asset Management (Section 500.13 (a)): All Covered Entities must implement written policies and procedures to maintain a complete, accurate, and documented asset inventory of their information systems that includes, among other things, tracking ownership and location.

DFS encourages Covered Entities to prepare now and review available resources on the Cybersecurity Resource Center.

New Multi-Factor Authorization (MFA) Resource

DFS has published a new factsheet on MFA, explaining different MFA methods, their relative strengths, and the upcoming November 2025 requirements. Covered Entities should review the factsheet to ensure compliance and select secure MFA solutions suited to their risk profiles. Find more details on the MFA Factsheet.

Cybersecurity Insights: Help Desk Social Engineering
DFS continues to observe recurring cybersecurity themes that warrant close attention. These issues should be top of mind in Covered Entities’ risk assessments and central to the ongoing strengthening of cybersecurity programs.

Rise in Social Engineering of IT Help Desk Personnel: DFS has observed a recent increase in incidents where threat actors are manipulating help desk personnel by gaining unauthorized remote access to information systems. They do so by coaxing them into resetting MFA tokens or changing passwords. When threat actors pose as internal IT professionals and/or use caller ID spoofing techniques, these attacks are even harder to spot. Organizations should alert all relevant staff to these threats, review and strengthen their identity verification protocols, monitor for anomalous behavior, and conduct simulated social engineering attacks to train personnel.

See the Department’s September 2024 alert on “Social Engineering of Institutions’ IT Help Desk Personnel.” CISA also provides additional information on this topic: Avoiding Social Engineering and Phishing Attacks and Scattered Spider.

DFS is Hiring: Opportunities in Cybersecurity

DFS’s Cybersecurity Division is expanding, as the Department’s looks to hire key positions to strengthen our capacity to safeguard New York’s financial services industry. If you know someone with the skills and passion to make an impact, encourage them to explore these opportunities and share our careers page within your networks.

Senior Attorney s: Provide legal and policy guidance on cybersecurity regulation, incident response, and enforcement. Opportunities available at multiple levels of experience.

Cybersecurity Examiners: Conduct regulatory examinations of Covered Entities’ cybersecurity programs, including risk assessments, MFA implementation, and third-party oversight.

Visit the DFS Careers webpage for more information.

ICYMI: Annual Compliance Submissions Were Due in April

As a reminder, Covered Entities were required to submit their annual compliance notifications (Certification of Material Compliance or Acknowledgement of Noncompliance) by April 15, 2025. If not yet submitted, Covered Entities must submit such notifications through the DFS portal immediately.

Covered Entities that qualify for full exemptions from the Cybersecurity Regulation do not have to submit annual compliance notifications. However, Covered Entities that qualify for limited exemptions still are required to submit an annual notification regarding their compliance.

DFS has created step-by-step instructions for submitting either a Certification of Material Compliance or an Acknowledgement of Noncompliance. For instructions and guidance on which form to file, visit the Submit a Compliance Filing section in the Cybersecurity Resource Center.

***************

Don't Miss NYAMB's 38th Annual Conference & Awards Luncheon
"AI Tech & Marketing Tradeshow"

Monday, November 10, 2025 8:30am - 6:00pm

Marina Del Rey, Throgs Neck (Bronx) NY

Who will be speaking?

Leading Experts in AI

Mortgage Industry Tech and Marketing Companies

Credit Company

Top Wholesale Lenders

Cybersecurity Experts

DFS Updates

Sessions, Exhibits, Lunch, Membership Meeting, Awards.....