Cybersecurity regulation used to feel like something that lived with legal, compliance, and security teams. Important, yes. But still somewhat contained.
That’s not where we are anymore.
The New York Department of Financial Services (NYDFS) cybersecurity regulation, known as 23 NYCRR Part 500, has become one of the clearest signals of where financial services cybersecurity is heading. It’s no longer enough for regulated entities to have policies, annual filings, and a security programme that looks tidy from a distance.
NYDFS now expects organisations to prove that cybersecurity risk is understood, governed, tested, and owned at senior levels. That shift matters because the threat environment has changed. IBM’s 2025 Cost of a Data Breach Report puts the global average cost of a data breach at USD 4.4 million.
FS-ISAC’s Navigating Cyber 2025 also warns that financial firms are facing rising pressure from generative AI-enabled fraud, supplier attacks, ransomware, and distributed denial of service (DDoS) attacks. In other words, NYDFS Part 500 isn’t just a New York compliance story. It’s a board-level resilience test hiding in plain sight.
How NYDFS Cybersecurity Regulation Has Changed
NYDFS cybersecurity regulation first came into effect in 2017, setting cybersecurity requirements for financial services companies regulated by the department. Since then, the regulation has been amended to reflect a much messier reality: more ransomware, more cloud dependency, more third-party exposure, and more ways for attackers to slip through gaps organisations didn’t know they had.
The Second Amendment to Part 500 took effect on 1 November 2023, with phased compliance deadlines stretching into 2025. Some requirements became effective quickly. Others gave covered entities more time to adjust, including final deadlines around multi-factor authentication (MFA) and asset inventory.
The important change is not just the list of controls. It’s the direction of travel.
NYDFS is pushing covered entities toward cybersecurity governance that can stand up to pressure. Senior governing bodies need enough understanding to oversee cyber risk. Cybersecurity programmes need to be based on risk assessments, not generic templates.
Class A companies, which are larger covered entities meeting specific employee and revenue thresholds, face heightened obligations because their size and complexity create bigger risk. That’s the part boards should pay attention to.
The regulation is asking a simple but uncomfortable question: can leadership prove the organisation knows where its real cyber risk lives?
Why MFA and asset visibility became central requirements
Multi-factor authentication is one of those controls that sounds basic until it’s missing. At its simplest, MFA means a user needs more than a password to access a system. That extra step could be an app approval, hardware token, biometric check, or another verified factor.
It matters because passwords fail all the time. They’re stolen, reused, guessed, phished, and dumped into criminal marketplaces. MFA doesn’t make identity security perfect, but it makes the attacker’s job harder.
Asset inventory works in the same practical way. You can’t protect systems you don’t know exist. If a server, application, endpoint, cloud workload, or privileged account sits outside the organisation’s view, it becomes an open door no one remembers building.
That’s why NYDFS’s focus on MFA and asset inventory makes operational sense. These are not decorative controls. They’re the foundation for vulnerability management, access control, incident response, and ransomware defence.
The financial sector threat picture reinforces that point. FS-ISAC’s 2025 report highlights ransomware, supplier attacks, and DDoS as major pressures on financial services. The Federal Reserve’s 2025 cybersecurity and financial system resilience work also points to supply chain risks and current and emerging cybersecurity threats as key areas of concern.
Visibility is no longer a technical nice-to-have. It’s the difference between managing risk and hoping nothing is sitting just out of frame.
Why Third-Party Risk Is Now A Major Compliance Pressure Point
Most financial services organisations don’t operate alone anymore. They rely on cloud platforms, Software as a Service (SaaS) tools, managed service providers, fintech partners, file transfer systems, artificial intelligence providers, and outsourced operational support.
That’s efficient. It’s also risky.
On 21 October 2025, NYDFS issued guidance on managing risks related to third-party service providers. The guidance doesn’t create new requirements, but it clarifies how covered entities should think about their existing obligations under Part 500. The message is blunt in the way only regulators can manage: using a vendor doesn’t transfer accountability.
If a third-party provider has access to non-public information or information systems, its weaknesses can become your operational problem. A vendor incident can interrupt services, expose sensitive data, trigger reporting obligations, and damage trust with customers who may never have heard the vendor’s name before.
NYDFS expects covered entities to manage that risk through due diligence, contractual protections, ongoing monitoring, and governance. That means checking providers before onboarding them, making security expectations clear in contracts, and continuing to monitor whether those controls still hold once the relationship is live.
This is where third-party cyber risk becomes more than procurement paperwork. It becomes part of resilience planning.
The end of “shared responsibility” as a compliance shield
The phrase “shared responsibility” gets used a lot in cloud and vendor conversations. And to be fair, it has a real purpose. Providers are responsible for some layers of security, while customers are responsible for others.
The problem starts when organisations treat shared responsibility like shared blame.
NYDFS’s third-party guidance makes that harder to do. Covered entities remain accountable for protecting consumers, managing risk, and securing non-public information when they use third-party service providers.
That changes the boardroom conversation. It’s not enough to ask whether the vendor says it’s secure. Leaders need to know how that assurance is tested, how exceptions are handled, how incidents are reported, and what happens if a critical provider goes down.
The Federal Reserve’s November 2025 paper on cyber vulnerabilities at large US financial institutions and their third-party service providers puts this into sharper focus. It describes third-party service providers as a “hidden cyber fault line” in the financial system and warns that catastrophic events targeting those providers could create losses far larger than routine incidents.
That’s the real issue. Third-party risk isn’t outside the business. It’s woven into how the business runs.
AI, Deepfakes, And The Expanding Scope Of Cyber Risk
AI has now entered the NYDFS cybersecurity conversation, but not as a separate regulation. In October 2024, NYDFS issued guidance explaining how covered entities should use the existing Part 500 framework to assess and manage cybersecurity risks linked to artificial intelligence.
That distinction matters. NYDFS isn’t saying, “Here’s a new AI rulebook.” It’s saying, “Your current cybersecurity obligations already apply when AI changes the risk.”
And AI is changing the risk.
Attackers can use generative AI to create more convincing phishing emails, automate social engineering, translate scams at scale, and produce deepfake audio or video that impersonates trusted people. Deepfakes are especially dangerous in financial services because so much depends on trust, approval chains, and identity verification.
There’s also the quieter side of AI risk: how organisations use these tools internally. Employees may enter sensitive information into unsanctioned tools. Vendors may build AI into services without clear transparency. Teams may adopt AI faster than governance can keep up.
IBM’s 2025 breach research found that 63 per cent of organisations lacked AI governance policies to manage AI or prevent shadow AI. It also found that 97 per cent of organisations reporting an AI-related security incident lacked proper AI access controls.
That’s the governance gap NYDFS is pointing toward.
For financial services firms, AI cybersecurity risks now need to sit inside risk assessments, training, access controls, incident response plans, vendor reviews, and data governance. Not because AI is magic. Because it changes how fraud, impersonation, data leakage, and operational risk show up.
What Enterprises Should Prioritise Before Regulators Force The Issue
The practical lesson from NYDFS Part 500 is not “buy more tools.” It’s “prove you understand your environment.”
That starts with executive-level cyber governance. Boards don’t need to become security engineers, but they do need enough understanding to ask better questions. What are the most serious cyber risks? Which systems matter most to operations? Which third parties are critical? What controls have been tested? Where are exceptions being carried?
Then comes evidence. Risk assessments should reflect the actual business, not a copied framework with the logo changed. Asset inventories should be maintained, not rebuilt in a panic during an incident. Incident response plans should be tested with the people who’ll actually need to use them.
Vendor reviews should connect to operational dependency, not just questionnaire completion. Identity and access controls also need regular attention.
- Who has privileged access?
- Is it still needed?
- Is MFA enforced where it should be?
- Are service accounts monitored?
- Can access be removed quickly when roles change?
None of this is glamorous. That’s probably why it matters.
Compliance is becoming a proof problem
The old compliance model rewarded documentation. The new one still needs documentation, but it wants evidence behind it.
That means organisations need to show how their cybersecurity programme works in practice. Not just that a policy exists, but that it’s been implemented. Not just that incident response is documented, but that it’s been tested. Not just that third-party risk is acknowledged, but that it’s monitored and governed.
NYDFS’s enforcement posture points in the same direction. In August 2025, the department announced a US$2 million penalty against Healthplex, citing Part 500 violations after cybersecurity control failures contributed to the exposure of private health data and non-public information.
That’s the warning. Regulators are no longer treating cyber compliance as a paper exercise. They’re looking at whether controls actually worked when they were needed.
Final Thoughts: Cybersecurity Compliance Is Becoming Operational Accountability
NYDFS Part 500 shows where cybersecurity regulation is heading. The question is no longer whether a financial services organisation has a cyber policy, a named security leader, or an annual compliance filing. Those things still matter, but they’re now the baseline.
The harder question is whether leadership can prove operational control.
That means knowing which assets exist, how identities are protected, how third parties are governed, how AI changes the risk picture, and how quickly the organisation can respond when something goes wrong. It also means accepting that cybersecurity is no longer a technical function sitting somewhere near IT. It’s part of business resilience.
Other regulators are likely to keep moving in the same direction. AI adoption, cloud dependency, supply-chain exposure, and infrastructure complexity aren’t slowing down politely so governance can catch up. Very rude of them, really.
But that’s the point. Cyber resilience will increasingly be measured by how well organisations understand and govern the systems they depend on.
EM360Tech will continue tracking how cybersecurity regulation, operational resilience, AI governance, and infrastructure risk are changing across enterprise technology, so leaders can make sense of the pressure before it becomes another boardroom fire drill.
Comments ( 0 )