As of May 1, companies operating within New York’s finance industry must meet a new set of mandatory cybersecurity regulations under 23 NYCRR Part 500. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation aims to bolster defenses against financially motivated cybercriminals.
This latest deadline marks the penultimate milestone for compliance with the regulation, first adopted eight years ago. By now, most financial institutions—banks, lenders, insurers, and related service providers with a presence in New York—must have implemented a range of cybersecurity measures.
Compliance Deadlines and Requirements
The deadlines for compliance have been spaced out over several years to help companies gradually meet these new standards. The initial deadline, December 1, 2023, required entities to report potentially damaging cybersecurity events, such as ransomware attacks, to NYDFS.
Two subsequent deadlines in April 2024 called for companies to implement annual cybersecurity audits, employee awareness training, penetration testing, and compliance filings. These filings must now be signed by a Chief Information Security Officer (CISO), a notable requirement highlighted by Sabeen Malik, VP of Global Government Affairs and Public Policy at Rapid7.
The final phase of requirements is scheduled for November 1, 2025, when firms must complete asset inventories and adopt multifactor authentication (MFA) for all employees accessing IT systems.
The May 1 deadline focused on crucial aspects of cybersecurity, including access controls. Companies must now implement Privileged Access Management (PAM) solutions, configure remote control protocols, and eliminate unused or old accounts. Other mandatory actions include performing vulnerability scans, ensuring basic password hygiene, and deploying systems for malware detection, event logging, and endpoint detection and response (EDR).
Are the Rules Too Strict?
While the regulations may seem rigorous, Malik points out that these measures are essential for companies’ long-term security. “These actions should be part of any business’s strategy by now, especially for mid- to large-sized companies,” she says. Malik also believes the regulations could have been more detailed, particularly in addressing open-source software (OSS) dependencies.
On the other hand, Kirk J. Nahra, a partner at WilmerHale, expresses concerns that overly prescriptive rules may limit flexibility for companies. “Not every company is the same, and dictating specific requirements can lead to confusion and frequent updates,” he says. Nahra hopes regulators will focus on processes rather than nitpicking specific incident details.
Malik remains confident in the financial industry’s ability to meet the requirements. “The financial sector is used to stringent compliance frameworks and is generally ahead of the curve when it comes to risk management,” she adds.
