New York Tightens Cybersecurity Rules: What Businesses Need to Know About the New MFA and Asset Inventory Requirements

Written by: Lee Merreot, Esq., CIPM, CIPP/US, CIPP/E, CDPO

**Attorney Advertisement**

Beginning November 1, 2025, New York’s Department of Financial Services (NYDFS) will make effective two key requirements that businesses under its regulation must meet: mandatory multifactor authentication (MFA) for individuals accessing information systems and maintaining a documented asset inventory of those systems and related resources. These changes follow amendments made in November 2023 to NYDFS’s cybersecurity regulation (23 NYCRR Part 500).[1]

While these rules directly apply to NYDFS‑regulated entities (banks, insurers, etc.), they also serve as a signal of shifting expectations for any business that handles sensitive or nonpublic information, especially those connected to or doing business in New York.

What’s Changing on November 1, 2025

• Expanded MFA requirement
  As of Nov. 1, 2025, any individual accessing any information system of a NYDFS-covered entity must use MFA, regardless of their location, type of use, or what information is on those systems. The only exception is if the covered entity’s CISO approves, in writing, reasonably equivalent or more secure compensating controls, with periodic review (at minimum annually).[2]
  For smaller businesses that qualify for the “small business” exemption, MFA will still be required for remote access, third‑party applications (including cloud-based) with nonpublic information, and privileged accounts (excluding service accounts that prohibit interactive login).[3]

• Asset inventory obligation
  Covered entities, including financial institutions, insurers, and other organizations regulated by the NYDFS, must adopt written policies and procedures to produce and maintain a complete, accurate, and documented inventory of information systems. Among the required components: tracking for each asset the “owner,” “location,” “classification or sensitivity,” “support expiration date,” and “recovery time objectives.” The documentation must also specify how often the inventory is updated and validated.[4]

Together, these new requirements work to close two major gaps: controlling who can access systems (via strengthened MFA) and ensuring you know what systems you have and where the risk lies.

Understanding MFA — Why It’s Now Being Emphasized

What is MFA?
MFA requires two or more different types of authentication factors, generally drawn from:

1. Knowledge factors – something you know (e.g., password, PIN)
2. Possession factors – something you have (e.g., security token, mobile device)
3. Inherence factors – something you are (e.g., biometric traits like fingerprints)[5]

Why the broader requirement now?

For many years, NYDFS recognized MFA as one of many “effective controls,” but did not require it across all access paths. The November 2023 amendment changed that. The regulation now mandates MFA for all access (unless compensated) and applies to any information system of a covered entity.[2] The reason is clear: credential-based attacks remain a top threat vector, and MFA is widely viewed as a cost-effective, high-impact control.

Not all MFA is equal:

• Weaker forms: SMS codes or push notifications without number matching. Vulnerable to SIM-swap attacks and “push fatigue.”
• Stronger forms: app-based MFA with number matching; hardware tokens; biometric factors with strong anti-spoofing.[6]
• NYDFS encourages use of more secure or phishing-resistant MFA where feasible, even though it does not strictly mandate the most expensive/hardware-token-only approach for all entities.[7]

The Risks of Noncompliance

• Regulatory enforcement and financial penalty:
  In August 2025, NYDFS levied a $2 million civil penalty against Healthplex, Inc., for violations of Part 500, including failing to have MFA enabled for certain email access at the time of a phishing attack.[8]
• Operational and reputational harm:
  Data breaches lead to loss of customer trust, brand damage, and the costs of incident response and remediation. Noncompliance may also lead to required audits, legal exposure, and loss of business relationships.
• Contractual and vendor risk:
  Many downstream contracts now reference “industry standard” cybersecurity or require adherence to regulations like Part 500. Failure can lead to broader liability beyond just direct regulation.
• Cumulative:
  Even if your organization has MFA in place, missing coverage on third-party applications, service accounts, or failing to document compensating controls can become a liability. Similarly, unknown assets (e.g., forgotten servers) are open doors for attackers.

What You Can Do to Help Ensure (and Demonstrate) Compliance

Here’s a practical roadmap to get ready for Nov. 1, 2025:

• Perform a gap analysis
  Map current systems, user access, and MFA coverage. Identify where individuals still log in with single-factor authentication or where controls aren’t documented.
• Select and implement MFA strategically
  Prioritize stronger MFA methods if possible. For legacy systems, consider proxies or gateways that enable MFA. If you decide to lean on compensating controls, ensure your CISO approves and documents them, and schedule annual reviews.
• Build your asset inventory
  Identify all information systems, including hardware, software, and cloud services. For each item, record the owner, location, sensitivity/classification, support status, and recovery objectives. Put processes in place to update and validate this inventory regularly.
• Update policies, procedures, and governance framework
  Ensure your cybersecurity program, policies, and procedures reflect the new requirements in 23 NYCRR Part 500. Assign responsibility (to CISO or equivalent), obtain required written approvals where needed, and include compensating control policies if applicable.
• Train staff and test your controls
  Educate employees on MFA, phishing risks, and how to properly access systems. Conduct internal audits, penetration testing, and regular checks to confirm MFA is working as intended.
• Monitor, review, and document
  Keep logs of access, MFA failures, and policy exceptions. Periodically review privileged accounts. Maintain evidence of compliance, for example, through audit trails, documentation of compensating controls, and inventory updates.

How The Beckage Firm Can Help

We assist organizations in meeting these NYDFS rule changes through:

• Legal guidance tailored to your specific business (size, risk exposure, systems)
• Help drafting or revising policies and procedures to align with the regulation
• Support in choosing, implementing, and documenting appropriate MFA solutions and compensating controls
• Assistance in creating and maintaining asset inventories that meet the required criteria
• Readiness for audits and regulatory inquiries

If you want help getting ready for November 1, 2025, or just want to make sure you’re keeping pace with cyber-risk best practices, The Beckage Firm is here to guide you.

Conclusion

November 1 is nearly here, and it’s not just another compliance deadline—it may mark a shift in how organizations regard cybersecurity. By broadly embedding MFA and gaining visibility into your assets, you position your organization not just to comply, but to defend.

This is your chance to move from a reactive posture to a proactive one.

If your organization wants to ensure it’s ready—or wants to turn compliance into a competitive differentiator—The Beckage Firm is here to guide you.

 

[1] New York State Department of Financial Services, “Final Second Amendment to 23 NYCRR Part 500 – Cybersecurity Requirements for Financial Services Companies,” NYDFS (November 1, 2023), https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.

[2] New York State Department of Financial Services, “Cybersecurity Regulation Training Presentation – Key Compliance Dates,” NYDFS (November 8, 2023), https://www.dfs.ny.gov/industry_guidance/cybersecurity/training_presentation_20231108.

[3] New York State Department of Financial Services, “Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500),” NYDFS (n.d., accessed October 29, 2025), https://www.dfs.ny.gov/industry_guidance/cybersecurity.

[4] New York State Department of Financial Services, “23 NYCRR §500.13(a) – Asset Inventory Requirements,” NYDFS (November 1, 2023), https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.

[5] New York State Department of Financial Services, “23 NYCRR §500.1(j) – Definition of Multi-Factor Authentication,” NYDFS (November 1, 2023), https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.

[6] Cybersecurity & Infrastructure Security Agency, “Implementing Phishing-Resistant Multi-Factor Authentication,” CISA (July 2022), https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf.

[7] New York State Department of Financial Services, “Assessment of Public Comments on Proposed Amendments to 23 NYCRR Part 500,” NYDFS (June 28, 2023), https://www.dfs.ny.gov/system/files/documents/2025/07/2023-06-28-apc-first-apc-for-reg.pdf.

[8] New York State Department of Financial Services, “Superintendent Adrienne A. Harris Announces $2 Million Penalty in Cybersecurity Settlement with Healthplex, Inc.,” NYDFS (August 14, 2025), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr20250814.