NYDFS Part 500: Are You Ready for New York’s Cybersecurity Rules?

Last Updated: Oct. 22, 2025

The New York Department of Financial Services (NYDFS) Part 500 regulation sets the benchmark for financial cybersecurity. With its 2023–2024 updates, covered entities must now prove they can detect, prevent, and respond to cyber threats, especially through phishing-resistant multi-factor authentication (MFA). If your MFA relies on passwords, SMS codes, or push approvals, you may not be compliant.

What you’ll learn

• What NYDFS Part 500 requires for cybersecurity programs
• Key updates to Section 500.12 on multi-factor authentication
• Common compliance pitfalls and DFS enforcement trends
• How phishing-resistant MFA supports full compliance

What Is the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of legal obligations for certain companies operating in New York and has been fully in force since early 2019.

The legislation is designed to counter the large-scale increase in cyberthreats to financial firms that conduct business in New York and protect customers and their data from cybercriminals. Cyberattacks that focus on stealing customer data continue to grow in frequency and scope, especially with the move to remote working during the COVID-19 crisis. These attacks are heightened by inadequate data protection protocols, with lack of effective multi-factor authentication (MFA) the most frequently exploited cybersecurity gap. According to the NYDFS’ figures from January 2020 to July 2021:

• 18.3 million customers were affected by cyberattacks reported to the NYDFS
• 64% of the companies reporting attacks had gaps in their MFA
• 23% of small businesses suffered cyberattacks
• 82% of these small businesses had not properly implemented MFA

Non-compliance with the NYDFS legislation has already resulted in multimillion dollar fines for businesses, as we discussed with legal expert Rafi Azim-Khan. Not only are non-compliant firms materially affected through direct government fines and penalties, they can incur significant costs in terms of expedited remedial security work. On top of that, revenue may be impacted through non-eligibility for tenders and loss of consumer trust.

Who Must Comply: Banks, insurers, mortgage brokers, and virtual currency firms licensed under New York law.

Key Goal: Protect “nonpublic information” through strong authentication and proactive risk management.

Who Must Comply With NYDFS Part 500?

As stated in the NYDFS Cybersecurity Regulation, covered entities are “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

Some examples of these are:

• Investment firms
• State-chartered banks and private bankers
• Holding companies
• Mortgage brokers
• Charitable foundations
• Foreign banks licensed to operate in New York
• Purchasing groups
• Internationally active insurance companies
• New York state-registered corporations
• Service contract providers

There are certain exemptions for smaller firms with fewer than 10 employees and under $5 million in gross revenue from New York business operations. Apart from those exempt entities, even firms registered outside New York that sell financial services to residents of New York must comply with the legislation and the NYDFS multi-factor authentication requirement. 

Key NYDFS Part 500 Requirements

Note: The Nov 1, 2023 amendments increased board/senior-management accountability, added new controls, and require more frequent risk assessments and updated notification requirements. 

As the NYDFS Cybersecurity Regulation mainly focuses on the activities and services of firms in the financial industry, it is not as broad as other data protection regulations. However, in several respects, it calls for stricter procedures. Here are some of the main features of the regulation:

• Regulated entities must have a risk-assessed cybersecurity program to protect the confidentiality and integrity of their information systems.
• Companies must implement a cybersecurity policy covering data governance, access controls, and customer data privacy, among other features.
• Firms must have a designated chief information security officer (CISO).
• The data to be protected is virtually all nonpublic information, that is all electronic information that is not publicly available, could be used to identify someone or has been derived from a healthcare provider.
• User access privileges to nonpublic information must be limited.
• Effective controls, including multi-factor authentication (MFA), should protect nonpublic information. This measure becomes an obligation when the network is being accessed externally.
• Notices of cybersecurity events must be made to the NYDFS superintendent within 72 hours.

There are also several other features of the legislation that focus on application security, risk assessment and incident response. Finally, it should be noted that there was no specific directive on the size of violation fines at the regulation’s release; however, subsequent punishments have set a precedent for other firms in terms of the scale of potential financial penalties for non-compliance.

Understanding Section 500.12 - Multi-Factor Authentication

Enforcement Trend: DFS has been increasingly active on cyber controls and notifications; firms have faced consent orders where controls (including MFA) were deficient. Link to DFS enforcement page and mention 72-hour notices under §500.17. Department of Financial Services

In December 2021, the NYDFS released an industry letter specifically related to Section 500.12 of the NYDFS Cybersecurity Regulation regarding multi-factor authentication. They were concerned that not enough emphasis had been given in the original document around one of the most important aspects of the regulation. Too many cyber incidents are occurring where covered entities are in violation of rules on MFA implementation, which the NYDFS regards as “an essential part of cybersecurity hygiene.”

However, not all MFA implementations are equal, and many cyber incidents occur through improper or easily circumvented multi-factor authentication. Indicatively, the NYDFS lists some of the most common issues that prevent effective MFA implementation.

Common MFA Compliance Gaps (and Fixes)

Legacy protocols and basic authentication still active

Many older applications and systems, especially Microsoft Outlook, still rely on basic (that is, username and password) authentication. This can create issues, even after upgrades, if these legacy systems are not properly deactivated and decoupled from their networks.

Remote access

As more people choose to work from home, remote access has become the norm. Unfortunately, security was made secondary to expediency, meaning many applications could still be accessed without MFA.

Lack of third-party MFA

Many companies allow third parties such as partners and contractors to access nonpublic information without requiring them to authenticate through MFA. This is in direct violation of the NYDFS multi-factor authentication requirement. 

Exceptions

Some users may push back against traditional MFA implementation due to its complexity and the extra time it takes for authentication. When exceptions are made for these users, it creates a network of backdoors for attackers and makes these users more susceptible to attack. 

Privileged accounts

As the NYDFS notes, “In every case where cybercriminals escalated privileges during a reported Cybersecurity Event, the privileged account lacked MFA.” Privileged accounts should be the highest priority for strong authentication measures, specifically MFA.

Use of weak or easily phished factors (SMS, push)

Many types of MFA, such as SMS one-time passwords (OTPs) and push notifications, are already easy to circumvent by attackers. Those looking to comply with the NYDFS Cybersecurity Regulation must consider this in their risk-based assessments.

Pro Tip: DFS guidance now explicitly refers to phishing-resistant MFA as a baseline for Section 500.12 compliance.

Preparing for NYDFS Part 500 MFA Compliance

While the original release of the NYDFS Cybersecurity Regulation covered the broad remit of the legislation and the obligation of covered entities more generally, the subsequent release of their guidance document on MFA shows quite clearly the focus is on stronger authentication controls. This is in line with the federal government’s emphasis on strong MFA within a Zero Trust framework in its Executive Order on Cybersecurity. The NYDFS also notes that multi-factor authentication is one of the most cost-effective means for all businesses to greatly improve their cybersecurity. 

Implementing a flexible, easy-to-use and compliant MFA system doesn’t have to be a difficult task. Through passwordless authentication solutions, such as HYPR’s True Passwordless MFA, strong cryptographically-secure employee and customer authentication can be met by transforming an ordinary smartphone into a FIDO token. HYPR’s solution also covers exceptions such as offline authentication, remote access and alternative devices. In addition, it integrates seamlessly with popular SSO providers and involves minimal user friction, which increases adoption, improves productivity and facilitates buy-in from business stakeholders. 

Learn how HYPR’s passwordless MFA solution can help ensure compliance with the NYDFS multi-factor authentication requirement with minimum implementation time and resource costs. 

• Audit existing MFA coverage
• Retire password-based and legacy auth
• Extend MFA to third-party/privileged accounts
• Adopt phishing-resistant MFA
• Document evidence for DFS certification
  

 How HYPR Helps You Achieve Compliance

HYPR empowers financial institutions to meet NYDFS Part 500 requirements with phishing-resistant, passwordless MFA. Our technology eliminates passwords, SMS codes, and push approvals, closing compliance gaps in Section 500.12 and strengthening your overall cybersecurity posture.

• FIDO2 cryptographic MFA → Section 500.12 compliance
• Logging/reporting → Section 500.17 documentation
• Seamless user experience → higher adoption, fewer exceptions
  

HYPR delivers phishing-resistant MFA that directly aligns with NYDFS Part 500 requirements.

• Built on FIDO2/WebAuthn standards
• Covers remote access, privileged accounts, and third-party access
• Generates audit-ready reports for DFS documentation
• Integrates with existing SSO and IAM platforms

Result: Compliance-ready authentication with minimal user friction.

Key Takeaways

• NYDFS Part 500 is the most stringent state cyber rule set.
• §500.12 makes MFA mandatory for critical access points.
• DFS and best practice favor phishing-resistant MFA over SMS/push.
• HYPR accelerates compliance with passwordless, FIDO-based MFA.
  

FAQs

Q1: What is NYDFS Part 500?
A New York regulation that requires financial institutions to establish and maintain cybersecurity programs.

Q2: Who does it apply to?
Banks, insurers, lenders, and other licensed financial services providers operating in NY.

Q3: What is Section 500.12?
The section requiring multi-factor authentication for internal, remote, and privileged accounts.

Q4: Is SMS MFA compliant?
No. DFS recommends phishing-resistant methods such as FIDO2.

Q5: How does HYPR help?
HYPR’s passwordless authentication meets DFS expectations for phishing-resistant MFA while simplifying compliance.