Updated:
July 2, 2026
New NYDFS Rules Tighten Compliance For Financial Firms
NYDFS has moved its cybersecurity regulation into a tougher compliance and enforcement phase, with final Second Amendment duties now active and recent settlements showing that weak incident reporting, access controls, vendor oversight, and data retention can trigger penalties. The latest official update came on May 21, 2026, when NYDFS issued threat-environment guidance for regulated entities.
What Is The NYDFS Cybersecurity Regulation Under 23 NYCRR Part 500?
The NYDFS Cybersecurity Regulation is New York’s cyber rule for financial services companies operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under state banking, insurance, or financial services laws. It requires covered entities to maintain risk-based cybersecurity programs that protect information systems and nonpublic information.
NYDFS enacted Part 500 on March 1, 2017, and later amended it in April 2020 to move the annual certification filing deadline from February 15 to April 15. The Second Amendment became effective on November 1, 2023, after DFS said cyberattacks had become more prevalent, more sophisticated, easier to launch, and more expensive to remediate.
The regulation now sits among the most active state cybersecurity regimes in the United States. NYDFS said on October 14, 2025, that it had entered consent orders with 27 entities under Superintendent Adrienne Harris, producing more than $144 million in cybersecurity regulation fines.

What Is The NYDFS Part 500 Timeline From 2017 To 2026?
The NYDFS Part 500 timeline runs from first-in-the-nation cyber regulation in 2017 to phased Second Amendment enforcement in 2026. The rule became effective in March 2017, received a limited filing-date amendment in April 2020, and received a major Second Amendment effective November 1, 2023.
NYDFS released early Second Amendment drafts in 2022 and 2023 before final adoption. New reporting requirements took effect on December 1, 2023. Most new requirements reached their 180-day compliance date on April 29, 2024.
The later phases were more operational. Governance, encryption, incident response, business continuity, and limited-exemption changes reached their 1-year deadline on November 1, 2024. Vulnerability management, access controls, malicious-code controls, and cybersecurity awareness training reached their 18-month deadline on May 1, 2025. The final 2-year phase for expanded MFA and asset inventory took effect on November 1, 2025.
The first annual certification cycle after those final requirements was due on April 15, 2026. NYDFS then announced a Delta Dental cybersecurity settlement on April 30, 2026, and issued heightened cyber threat guidance on May 21, 2026.
What Does NYDFS Part 500 Require After The 2025 Second Amendment Deadlines?
NYDFS Part 500 now requires written cybersecurity policies, CISO oversight, risk assessments, vulnerability management, access controls, MFA, asset inventories, incident response plans, business continuity and disaster recovery plans, vendor security policies, annual certifications, and cyber incident notices. The final 2025 phase made MFA and asset inventory central compliance duties.
The MFA rule requires multi-factor authentication for any individual accessing any covered entity information system, subject to limited exemptions and CISO-approved compensating controls. Limited-exemption entities must still use MFA for remote access, cloud-based third-party applications where nonpublic information is accessible, and privileged accounts except certain non-interactive service accounts.
The asset inventory rule requires written policies and procedures that produce and maintain a complete, accurate, documented inventory of information systems. The inventory must track key information such as owner, location, classification or sensitivity, support expiration date, recovery time objectives, and update frequency.
Which Companies Must Comply With NYDFS Cybersecurity Regulation Part 500?
NYDFS Part 500 applies to covered entities regulated under New York banking, insurance, or financial services law. Covered entities include partnerships, corporations, branches, agencies, associations, insurers, banks, mortgage companies, money transmitters, virtual currency businesses, and other firms operating under covered state authorizations.
Class A companies face extra duties. A Class A company must have at least $20 million in gross annual revenue in each of the last 2 fiscal years from relevant business operations and must either have more than 2,000 employees or more than $1 billion in gross annual revenue in each of the last 2 fiscal years.
Class A companies must conduct independent cybersecurity audits, monitor privileged access activity, use privileged access management, block commonly used passwords where feasible, deploy endpoint detection and response, and centralize logging and security event alerting unless the CISO approves comparable or stronger controls in writing.
What Penalties And Enforcement Tools Does NYDFS Use Under Part 500?
NYDFS can bring enforcement actions, impose civil monetary penalties, order remediation, review supporting records, and examine whether covered entities made accurate annual compliance filings. Part 500 penalty factors include consumer harm, violation gravity, violation duration, false or misleading information, senior governing body involvement, and consistency with frameworks such as NIST.
The largest recent group action came on October 14, 2025, when NYDFS secured more than $19 million from 8 auto insurance companies after hackers stole driver’s license numbers and dates of birth from online automobile insurance quoting systems. The companies included Farmers, Hagerty, Hartford, Infinity, Liberty Mutual, Metromile, Midvale, and State Auto.
The latest enforcement example came on April 30, 2026, when NYDFS announced a $2.25 million settlement with Delta Dental Insurance Company and Delta Dental of New York. DFS said the companies failed to maintain sufficient incident response policies, failed to apply retention practices that protected nonpublic information, and failed to report the MOVEit-related cybersecurity event on time.
What Should Financial Firms Do Now To Comply With NYDFS Part 500?
Financial firms should treat NYDFS Part 500 as an active operating program rather than an annual portal filing. Practical work includes MFA coverage testing, asset inventory validation, privileged access review, annual penetration testing, vulnerability scanning, incident response exercises, backup restoration tests, vendor reviews, and records supporting the April 15 compliance filing.
Compliance teams should confirm whether the entity qualifies for a full exemption, limited exemption, or Class A status. The wrong status can create filing, control, and certification errors. Covered entities with limited exemptions still need to file annual certifications or acknowledgments where Part 500 requires them.
Security teams should test whether all information systems are covered by MFA, whether compensating controls have written CISO approval, whether asset records include required fields, and whether alerts, logs, and vulnerability findings produce defensible evidence. Legal teams should review the cyber incident notice process, extortion payment notice process, and documentation retention rules.
How Has The Financial Industry Responded To NYDFS Part 500 Amendments?
Industry response has centered on cost, implementation time, CISO accountability, expanded MFA, asset inventory, and third-party governance. Law firms and compliance advisers warned that the final November 1, 2025 phase moved the rule from policy updates into system-wide technical proof.
NYDFS continued to issue guidance as firms adjusted. In February 2026, legal advisers reported that NYDFS had added and revised MFA FAQs after the expanded MFA requirement became active on November 1, 2025. The guidance reflected industry questions about how far the new MFA rule extends across users, systems, and access contexts.
Vendor risk became another pressure point. On October 21, 2025, NYDFS issued third-party service provider guidance that said covered entities may not delegate responsibility for Part 500 compliance to vendors, affiliates, or managed service providers. That position affects financial firms that depend on cloud, AI, fintech, managed IT, help desk, file transfer, and claims management vendors.
What Are The Business Costs And Legal Risks From NYDFS Cyber Noncompliance?
NYDFS cyber noncompliance can create direct penalties, remediation costs, legal exposure, customer notification costs, higher audit burden, operational disruption, and leadership risk. The cost profile rises when a cyber incident exposes nonpublic information and the firm cannot produce evidence of required controls.
The 2025 auto-insurer settlements show the business risk of weak web application access controls. NYDFS said hackers used public-facing quoting tools and agent portals to obtain nonpublic information, including driver’s license numbers.
The Delta Dental order shows the cost of weak retention and late reporting. NYDFS said the companies did not notify the department until December 15, 2023, even though a webshell was found on June 1, 2023, and evidence of file exfiltration was found on July 6, 2023. NYDFS tied that delay to deficient incident response policies and reporting procedures.
What Questions Remain About NYDFS Cyber Compliance In 2026?
The main open questions in 2026 involve MFA interpretation, enforcement expectations after the April 15, 2026 filing cycle, Class A implementation reviews, vendor-risk examinations, and how NYDFS will treat AI-related cyber threats. NYDFS guidance shows active supervision rather than a closed rulemaking phase.
The May 21, 2026 heightened threat guidance did not create new legal requirements, but it recommended steps such as remediating known exploited vulnerabilities, restricting MFA enrollment changes, using phishing-resistant MFA, segmenting networks, validating cloud configurations, reviewing privileged access, testing backups, and reviewing threat-relevant response procedures.
No major court ruling was found that changed the core Part 500 obligations as of June 18, 2026. The unresolved issue is how aggressively NYDFS will use the amended rule after the final transition phase and after firms filed the first post-deadline compliance notices.
Why Does NYDFS Part 500 Matter For U.S. Cybersecurity Compliance?
NYDFS Part 500 matters because it shows how state regulators can turn cybersecurity into a board, CISO, and business accountability issue. The rule links technical controls to annual executive certification, incident reporting, vendor oversight, and enforcement penalties.
The broader significance extends outside New York. NYDFS said Part 500 has served as a model for the Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors Nonbank Model Data Security Law.
The rule’s direction is clear. Cyber compliance for financial firms is moving toward provable controls, signed accountability, third-party oversight, and fast incident reporting. Firms that rely on policy documents without technical evidence face greater examination and enforcement risk.
How Bright Defense Helps Financial Firms Meet NYDFS Part 500 Cyber Rules
Bright Defense helps banks, insurers, fintechs, mortgage companies, money transmitters, and other regulated financial firms prepare for NYDFS Part 500 through Penetration Testing, Continuous Compliance, and Security Assessments. These services support control testing, vulnerability remediation, MFA validation, asset exposure review, incident readiness, and evidence collection.
For NYDFS readiness, Bright Defense can test applications and infrastructure, review privileged access paths, assess cloud and vendor-connected systems, validate segmentation, examine logging and monitoring coverage, and help teams document technical findings. That work helps financial firms support annual certifications, examinations, incident response decisions, and remediation plans with stronger operating evidence.
Sources Cited In This NYDFS Part 500 Report
- New York Department of Financial Services – Cybersecurity Resource Center, 23 NYCRR Part 500 (Accessed June 18, 2026)
https://www.dfs.ny.gov/industry_guidance/cybersecurity - New York Department of Financial Services – Second Amendment To 23 NYCRR Part 500 (November 1, 2023)
https://www.dfs.ny.gov/industry_guidance/regulations/final_adoptions_fs/rf_fs_2amend23NYCRR500_text_20231101_alt - New York Department of Financial Services – Acting Superintendent Kaitlin Asrow Secures $2.25 Million Cybersecurity Settlement With Delta Dental (April 30, 2026)
https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20260430 - New York Department of Financial Services – Consent Order To Delta Dental Insurance Company And Delta Dental Of New York, Inc. (April 30, 2026)
https://www.dfs.ny.gov/industry-guidance/enforcement-discipline/ea20260430 - New York Department of Financial Services – Guidance On Measures Regulated Entities Should Consider In A Heightened Cybersecurity Threat Environment (May 21, 2026)
https://www.dfs.ny.gov/industry-guidance/industry-letters/20260521-guidance-on-measures-reg-entities-should-consider-in-a-hcte - New York Department of Financial Services – Guidance On Managing Risks Related To Third-Party Service Providers (October 21, 2025)
https://www.dfs.ny.gov/industry-guidance/industry-letters/il20251021-guidance-managing-risks-third-party - New York Department of Financial Services – Superintendent Harris Secures More Than $19 Million From Auto Insurance Companies Over Data Breaches (October 14, 2025)
https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20251014 - New York Attorney General – Attorney General James Secures $14.2 Million From Car Insurance Companies Over Data Breaches (October 14, 2025)
https://ag.ny.gov/press-release/2025/attorney-general-james-secures-142-million-car-insurance-companies-over-data - Hogan Lovells – NYDFS Final Set Of Cybersecurity Requirements Under Amended Part 500 Take Effect November 1, 2025 (October 22, 2025)
https://www.hoganlovells.com/en/publications/nydfs-final-set-of-cybersecurity-requirements-under-amended-part-500-take-effect-november-1-2025 - Steptoe – Final NYDFS Cybersecurity Rules Take Effect: What Financial Services Companies Must Do Now (November 3, 2025)
https://www.steptoe.com/en/news-publications/final-nydfs-cybersecurity-rules-take-effect-what-financial-services-companies-must-do-now.html - Mayer Brown – NYDFS Releases And Revises Multi-Factor Authentication FAQs (February 25, 2026)
https://www.mayerbrown.com/en/insights/publications/2026/02/nydfs-releases-and-revises-comprehensive-multi-factor-authentication-faqs - Greenberg Traurig – NYDFS Final Cybersecurity Rules: MFA, Asset Inventory, And Third-Party Risk (November 2025)
https://www.gtlaw.com/en/insights/2025/11/nydfs-final-cybersecurity-rules-mfa-asset-inventory-and-third-party-risk - Herbert Smith Freehills Kramer – NYDFS Fines 8 Auto Insurance Companies Over $19 Million For Cybersecurity Violations (October 28, 2025)
https://www.hsfkramer.com/insights/2025-10/nydfs-fines-eight-auto-insurance-companies-over-19-million-dollars-for-cybersecurity-violations
Get In Touch


