NYDFS Part 500 MFA requirements 2025 (New)

The New York Department of Financial Services (NYDFS) didn’t just “update” Part 500 but turned multi-factor authentication into a board-level liability. Decisions about how users authenticate, which factors are allowed, and where gaps remain are no longer just architecture debates between security and IT. They now sit in a regulatory environment where senior leaders are expected to stand behind those choices personally, and where “we thought basic MFA was enough” is unlikely to be a convincing answer.

The financial risk behind that shift is substantial. Under New York Banking Law, NYDFS can impose civil penalties that scale with both duration and severity: often cited as up to $2,500 per day per continuing violation, $15,000 per day for reckless practices, and $75,000 per day for knowing or willful violations. Since around 2022, DFS has also built up a track record of cybersecurity-related consent orders under Part 500, with some individual cases reaching into the tens of millions of dollars and headline fines around $30 million for serious control and reporting failures. Against that backdrop, getting MFA “mostly right” is no longer enough. Organizations need a defensible approach to strong, phishing-resistant authentication that can withstand both attacks and regulatory scrutiny.

To keep your company from paying these fines, we will cover the most important information on this topic in this article and answer the following questions:

1. What are the new additions to NYDFS Part 500 and until when do they have to be met?
2. Who is impacted by the changes to NYDFS Part 500?
3. What types of MFA can be used to stay compliant with NYDFS Part 500?

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, known as 23 NYCRR Part 500, has transformed over the years from a general, risk-based guideline into one of the most detailed and rigorously enforced cybersecurity standards in the country. Since its introduction in 2017, the regulation has focused on safeguarding customer information and maintaining the resilience of New York’s financial sector in the face of evolving cyber risks.

The industry changed notably with the Second Amendment, which took effect on November 1, 2023. This update introduces much tighter operational requirements, elevates expectations for governance, and places greater personal responsibility on senior leaders. Compliance is being phased in through November 2025, but the message is already clear: NYDFS is enforcing the regulation aggressively, with recent actions resulting in multi-million-dollar penalties. As a result, managing Part 500 obligations has shifted from being a technical compliance exercise to a key part of overall business strategy and risk management.

The Second Amendment to Part 500 represents the most significant overhaul since the regulation's inception. Here are the critical changes organizations must address:

The Second Amendment to Part 500 significantly tightens governance expectations. It strengthens the position of the CISO, sets clearer expectations for board involvement, and introduces shared accountability between the CEO and CISO through the annual certification requirement. Cybersecurity is treated as an enterprise risk management topic, not just an IT function.

Under the updated rules, the CISO must have sufficient authority, independence, and direct access to the board or equivalent governing body. They are expected to provide at least an annual written report on the cybersecurity program, material risks, and remediation plans, and to escalate significant issues in a timely manner. Decisions such as the use of compensating controls must be documented and periodically reviewed.

The board, in turn, must have enough cybersecurity understanding to review these reports, challenge assumptions, and ensure that adequate resources are allocated. This does not mean every board member is a technical expert, but the board collectively must be able to understand the presented risks and make informed decisions.

The dual-signature requirement for CEO/CISO certification formalizes this shared responsibility. Both must attest annually that the organization complies with Part 500 based on actual program performance, not only documented intent. This increases the importance of reliable metrics, evidence, and internal verification. Informal or ad hoc tracking is unlikely to be sufficient if NYDFS asks how those certifications were justified

The regulation defines three primary tiers: “Covered Entities”, high-bar “Class A Companies” and “Exempt Entities” who do not fall under the regulations.

Under the regulation, a Covered Entity (roughly ~3,000+ companies) includes any individual or organization that holds, or is required to hold a

• License

• Registration

• Charter

• Certificate

• Or similar authorization

under New York’s Banking, Insurance, or Financial Services Law. This definition is intentionally broad and brings a wide range of institutions into scope, such as:

• State-chartered banks and trust companies (e.g. First National Bank of Scotia)

• Insurance providers across all lines (property and casualty, life and health, HMOs) (e.g. Otsego Mutual Fire Insurance Company)

• Mortgage brokers and other licensed lenders (e.g. ABC Mortgage Corp.)

• Investment companies and budget planning organizations (Consumer Credit Counseling Service of Rochester)

• Virtual currency firms operating under a BitLicense (e.g. BitOoda Digital LLC)

• Holding companies and certain charitable foundations (e.g. Glenville Bank Holding Company)

Importantly, the rule applies regardless of an organization’s size or whether it is also supervised by another regulator. In practical terms, if your business serves New York customers or operates under a New York-issued license, you should assume the NYDFS requirements apply to you.

Class A Companies represent the largest institutions (~200–400 companies) within the NYDFS framework. An organization falls into this category if it earns at least $20 million in annual revenue from its New York operations and meets one of the following thresholds:

• Has more than 2,000 employees, or

• Generates over $1 billion in annual revenue worldwide

Being classified as a Class A Company comes with additional expectations. These institutions must undergo independent cybersecurity audits every year and implement more advanced technical safeguards, such as privileged access management (PAM) tools and endpoint detection and response (EDR) capabilities. These enhanced requirements reflect the elevated risk profile and operational scale of large financial organizations.

Exempt entities are organizations that fall under NYDFS oversight but qualify for one of the exemptions outlined in Section 500.19. These exemptions (granted based on factors such as size, business activity, or coverage under another entity’s cybersecurity program) relieve organizations from either most requirements (full exemptions) or only certain sections (limited exemptions).

Limited exemptions commonly apply to smaller institutions:

• with fewer than 20 employees

• under $7.5 million in revenue

• or less than $15 million in total assets

and exclude them from selected governance and technical mandates while still requiring a core cybersecurity program.

Full exemptions apply to entities

• already covered by a parent company’s cybersecurity framework

• organizations that do not operate information systems or handle nonpublic information

• and certain specialized insurance or financial institutions identified in the regulation.

Date: October 14, 2025

Total Penalty: $19,000,000 (Shared across 8 entities)

Individual Penalties:

• Hartford Fire Insurance Co.: $3 million

• American Family Mutual / Midvale Indemnity: $2.8 million

• Farmers Insurance Exchange: $2.775 million

• Liberty Mutual Insurance Co.: $2.7 million

• Infinity Insurance Co.: $2.25 million

• Metromile Insurance Co.: $2 million

• State Auto Property & Casualty: $2 million

• Hagerty Insurance Agency: $1.85 million

Key Policy Violations:

• Failure to Implement MFA (Section 500.12): Companies failed to enforce Multi-Factor Authentication for online quoting systems. This policy gap allowed attackers to use credential stuffing to access sensitive driver data.

• Failure to Report (Section 500.17): Several entities (notably Farmers and Infinity) failed to notify NYDFS within the mandatory 72-hour window after determining a cybersecurity event had occurred.

• Inadequate Risk Assessment (Section 500.09): The companies failed to adequately assess the risks associated with public-facing applications.

Date: August 14, 2025

Penalty: $2,000,000

Key Policy Violations:

• Lack of MFA (Section 500.12): During a migration to Office 365, the company failed to enable MFA for web-based email access. This allowed a phishing attack to compromise a 20-year employee's account.

• Data Retention Failure (Section 500.13): The compromised email account contained over 100,000 emails dating back several years. NYDFS penalized the company for lacking a policy to dispose of Non-Public Information (NPI) that was no longer necessary for business operations.

• False Certification (Section 500.17): The company certified compliance annually (2018–2022) despite these material security gaps.

Date: April 10, 2025

Penalty: $40,000,000 (Combined AML and Cybersecurity penalty)

Key Policy Violations:

• Governance Failures (Sections 500.03 & 500.04): The Board of Directors failed to adequately review and approve cybersecurity policies.

• Inadequate Oversight: The investigation found a lack of management oversight to ensure that written cybersecurity policies were effectively implemented in practice, rather than just existing on paper.

• Access Privileges (Section 500.07): The company failed to strictly limit user access privileges, creating a high-risk environment.

Date: January 23, 2025

Penalty: $2,000,000

Key Policy Violations:

• Ineffective Access Controls (Section 500.12): PayPal allowed MFA to be optional rather than mandatory for certain accounts. Threat actors exploited this to access tax forms (1099-Ks) containing unmasked Social Security numbers.

• Cybersecurity Personnel & Training (Section 500.10): The team implementing the system change was not adequately trained on the company's own security policies.

• Policy Implementation Failure (Section 500.03): Although a policy for testing new code existed, the engineering team misclassified a software update. This caused the update to bypass required security testing, a direct violation of internal governance.

  6.5 Genesis Global Trading, Inc.

Date: January 12, 2024

Penalty: $8,000,000 (Surrender of BitLicense + Fine)

Key Policy Violations:

• Inadequate Risk Assessment (Section 500.09): The company failed to conduct comprehensive risk assessments to accurately identify cybersecurity risks specific to its business model.

• Compliance Program Failure: The penalty was levied largely because the company’s compliance program was deemed "non-functional," demonstrating a disregard for regulatory requirements.

Date: November 28, 2023

Penalty: $1,000,000

Key Policy Violations:

• Access Control Failure (Section 500.07): A design defect allowed documents to be accessed by simply changing the URL. The penalty addressed the failure to have access controls capable of preventing this simple bypass.

• Data Classification (Section 500.03): The company failed to classify the data within this application as "Non-Public Information" (NPI). Consequently, the data did not receive the higher level of security protections required by policy.

Multi-factor authentication (MFA) is strictly required for:

• Any remote access to the organization’s systems and internal networks.

• Cloud-based SaaS platforms, such as Microsoft 365, Google Workspace, or Salesforce.

• All privileged accounts, whether accessed internally within the network or externally.

• Third-party applications and any form of external vendor or supply chain access.

• Customer Access portals, specifically including Consumer Identity and Access Management (CIAM) systems and Identity Providers (IdPs) that secure public-facing applications where Nonpublic Information (NPI) is accessible.

Importantly, MFA requirements cannot be delegated to individual users; these controls must be enforced centrally by the organization to ensure compliance across both workforce and customer identity perimeters.

In its December 2021 industry letter, NYDFS cautioned organizations about relying on weaker MFA methods, noting that they are increasingly targeted by attackers:

• SMS One-Time Passwords: exposed to SIM-swaps and message interception

• OTP Codes (e.g., Google Authenticator, Microsoft Authenticator etc.): can be harvested through phishing or other interception techniques

• Push-based MFA: prone to push-fatigue attacks and social engineering

NYDFS advises institutions to adopt phishing-resistant MFA solutions (passkeys) and regularly validate their effectiveness through penetration testing, audits and vulnerability assessments.

Phishing-resistant MFA relies on cryptographic credentials, most prominently passkeys, instead of passwords or one-time codes that can be intercepted, replayed, or tricked out of users. Passkeys are FIDO2/WebAuthn-based credentials that live on a user’s device (or secure cloud-backed keychain) and never expose shared secrets to the service. During login, the website proves its identity, the device signs a challenge with a private key, and the user confirms the action with a biometric or local PIN. Because nothing reusable ever leaves the device, attackers cannot steal or replay the credential, even if they control the network or send perfectly spoofed phishing pages.

These methods are designed to be resistant to common attack vectors such as man-in-the-middle and reverse-proxy attacks, SIM-swapping, push-notification fatigue, credential stuffing, and classic credential phishing.

NYDFS Part 500 significantly raises the bar in three critical areas: requiring universal MFA coverage for all access points, mandating phishing-resistant authentication methods, and demanding rigorous evidence to support annual CEO/CISO certification.

The Operational Challenge: In practice, meeting these standards is difficult because authentication landscapes are often fragmented. Companies are stuck juggling legacy IAM systems, custom applications, and third-party platforms, each with inconsistent UX and limited MFA capabilities.

The Corbado Solution: Corbado resolves this friction by deploying a passkeys-first authentication overlay. This layer sits on top of existing infrastructure, instantly upgrading legacy stacks to support phishing-resistant MFA across web and mobile without requiring a backend overhaul.

Compliance & Oversight: Beyond the login, Corbado’s “Passkey Insights” provide the audit trail necessary for compliance. By visualizing login success rates, MFA adoption curves, and potential bypass attempts, it gives risk teams the concrete data needed for NYDFS examinations and enables CISOs to sign annual attestations with confidence.

Corbado is built specifically for large consumer and workforce login environments in regulated sectors, where strong authentication, auditability, and user experience all matter at the same time. The platform focuses on passkeys and other FIDO2/WebAuthn-based methods to deliver phishing-resistant MFA, while still supporting hybrid setups where legacy factors remain in place during the transition. For compliance teams, Corbado’s detailed telemetry, event logging, and reporting make it easier to demonstrate that controls are not only designed but operating effectively, an essential point under NYDFS. Corbado operates under an ISO 27001–certified ISMS and holds SOC 2 Type II attestation, aligning its own security posture with the expectations placed on financial institutions. Combined with experience from large-scale deployments and a strong emphasis on adoption and UX, this makes Corbado a pragmatic choice for organizations that want to meet NYDFS requirements and improve their authentication experience at the same time.

NYDFS Part 500 has turned MFA into a board-level accountability topic: universal MFA, phishing resistance, and hard evidence are now non-negotiable. It’s no longer enough to “have MFA somewhere”, you need to know which factors you use, where your gaps are, and how you can prove that your controls actually work.

Passkeys and other FIDO2/WebAuthn methods are the clearest path to meeting NYDFS expectations while cutting fraud and user friction. Corbado helps by layering passkeys and phishing-resistant MFA on top of existing systems and by providing the telemetry CEOs, CISOs, and boards need for credible certifications and audits. For organizations under NYDFS, this turns MFA from a scattered control into a defensible, data-backed strategy.

1. What are the new additions to NYDFS Part 500 and until when do they have to be met? The Second Amendment adds universal MFA, stricter governance and reporting, Class A requirements, detailed asset inventories, stronger encryption, and mandatory annual pen tests, with key remaining deadlines, especially for MFA and asset inventory, falling on November 1, 2025 (others already in force from 2023–2024).

2. Who is impacted by the changes to NYDFS Part 500? All NYDFS-regulated Covered Entities, such as New York–licensed banks, insurers, lenders, and virtual currency firms, are impacted, with extra obligations for large Class A companies and limited exemptions for some smaller or dependent entities.

3. What types of MFA can be used to stay compliant with NYDFS Part 500? To stay compliant, organizations should rely on strong, phishing-resistant MFA such as passkeys and other FIDO2/WebAuthn authenticators, hardware security keys, and device-bound biometrics, using weaker methods like SMS, OTP, or push-based codes only in carefully controlled or transitional scenarios.

The regulation mandates that by November 1, 2025, Multi-Factor Authentication (MFA) must be implemented for any individual accessing any information system. This eliminates previous loopholes.

In its industry guidance, NYDFS has flagged SMS, One-Time Passwords (OTPs), and push notifications as vulnerable to modern attacks like SIM-swapping, message interception, and push fatigue. The Department strongly advises moving toward "phishing-resistant" MFA, such as passkeys (FIDO2/WebAuthn), which use cryptographic credentials that cannot be stolen or replayed by attackers.

The update transforms cybersecurity from an IT issue into a personal liability for leadership. The annual compliance certification now requires dual signatures from both the CEO and CISO. These executives must attest to compliance based on actual data and evidence; signing this certification without valid proof or while knowing of gaps can lead to individual regulatory enforcement and penalties.

Limited exemptions are available for smaller organizations that have fewer than 20 employees, less than $7.5 million in annual revenue, or under $15 million in total assets. While these entities are relieved from certain sophisticated governance and technical mandates, they must still maintain a core cybersecurity program. Full exemptions generally apply only to entities already covered by a parent company’s compliant program.

Class A Companies, defined as having over $20 million in NY revenue plus significant scale ($1B+ global revenue or 2,000+ employees), must meet higher security standards. These include mandatory independent annual audits, the implementation of Privileged Access Management (PAM) solutions, and the deployment of Endpoint Detection and Response (EDR) systems to monitor for malicious activity.