--- url: 'https://www.corbado.com/blog/nydfs-part-500-mfa-requirements-2025' title: 'NYDFS Part 500 MFA requirements 2025 (New)' description: 'Learn what NYDFS Part 500’s 2025 MFA deadlines must be met, who needs to adapt and how passkeys and phishing-resistant MFA help you stay compliant.' lang: 'en' author: 'Alex' date: '2025-12-07T10:10:35.485Z' lastModified: '2026-03-27T07:01:55.456Z' keywords: 'nydfs part 500 mfa requirements 2025, 23 nycrr part 500 mfa, nydfs cybersecurity regulation second amendment, nydfs mfa deadline november, phishing-resistant mfa nydfs, class a company nydfs part 500, nydfs covered entities, nydfs mfa passkeys, nydfs part' category: 'Authentication' --- # NYDFS Part 500 MFA requirements 2025 (New) ## Key Facts - **NYDFS Part 500's November 1, 2025 deadline** requires universal MFA for every individual accessing any information system, eliminating prior loopholes for internal or non-privileged access. - **Civil penalties** under New York Banking Law scale to USD 75,000 per day for willful violations; recent NYDFS enforcement actions have reached individual fines exceeding USD 30 million. - **Phishing-resistant MFA** using passkeys and FIDO2/WebAuthn credentials is the required standard; SMS OTPs and push notifications are explicitly flagged as vulnerable to modern attacks. - **Class A Companies** (USD 20M+ NY revenue plus 2,000+ employees or USD 1B+ global revenue) must undergo independent annual audits and deploy PAM solutions and EDR systems. - **Annual CEO/CISO dual certification** requires both executives to attest compliance using verifiable data retained for 5 years, creating direct personal regulatory liability for both signatories. ## 1. Introduction: NYDFS makes MFA mandatory The New York Department of [Financial Services](https://www.corbado.com/passkeys-for-banking) (NYDFS) didn’t just “update” Part 500 but turned multi-factor authentication into a board-level liability. Decisions about how users authenticate, which factors are allowed, and where gaps remain are no longer just architecture debates between security and IT. They now sit in a regulatory environment where senior leaders are expected to stand behind those choices personally, and where “we thought basic MFA was enough” is unlikely to be a convincing answer. The financial risk behind that shift is substantial. Under New York [Banking](https://www.corbado.com/passkeys-for-banking) Law, NYDFS can impose civil penalties that scale with both duration and severity: often cited as up to $2,500 per day per continuing violation, $15,000 per day for reckless practices, and $75,000 per day for knowing or willful violations. Since around 2022, DFS has also built up a track record of cybersecurity-related consent orders under Part 500, with some individual cases reaching into the tens of millions of dollars and headline fines around $30 million for serious control and reporting failures. Against that backdrop, getting MFA “mostly right” is no longer enough. Organizations need a defensible approach to strong, [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication that can withstand both attacks and regulatory scrutiny. To keep your company from paying these fines, we will cover the most important information on this topic in this article and answer the following questions: 1. What are the new additions to NYDFS Part 500 and until when do they have to be met? 2. Who is impacted by the changes to NYDFS Part 500? 3. What types of MFA can be used to stay compliant with NYDFS Part 500? ## 2. What is NYDFS Part 500? The New York Department of [Financial Services](https://www.corbado.com/passkeys-for-banking) (NYDFS) Cybersecurity Regulation, known as 23 NYCRR Part 500, has transformed over the years from a general, risk-based guideline into one of the most detailed and rigorously enforced cybersecurity standards in the country. Since its introduction in 2017, the regulation has focused on safeguarding customer information and maintaining the resilience of New York’s financial sector in the face of evolving cyber risks. The industry changed notably with the Second Amendment, which took effect on November 1, 2023. This update introduces much tighter operational requirements, elevates expectations for governance, and places greater personal responsibility on senior leaders. Compliance is being phased in through November 2025, but the message is already clear: NYDFS is enforcing the regulation aggressively, with recent actions resulting in multi-million-dollar penalties. As a result, managing Part 500 obligations has shifted from being a technical compliance exercise to a key part of overall business strategy and risk management. ## 3. What changed in the 2023 Second Amendment? The [Second Amendment to Part 500](https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf) represents the most significant overhaul since the regulation's inception. Here are the critical changes organizations must address: | What Changed | Previous Requirement | New Requirement | Compliance Deadline | Impact | | --------------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Multi-Factor Authentication (MFA) | MFA required for remote access and privileged accounts | Universal MFA for any individual accessing any information system | November 1, 2025 | Exceptions only for small businesses (fewer than 20 employees, under $7.5M in revenue, under $15M in assets), or for CISO-approved controls that are equivalent or more secure than MFA. | | Annual Certification | Single signature from senior officer | Dual signature from CEO and CISO with evidence-based documentation | April 15 (annually) | Personal liability for both executives; must be supported by verifiable data retained for 5 years. | | Class A Companies | Did not exist | New category for larger institutions ($20M+ NY revenue and 2,000+ employees or $1B+ global revenue) | November 1, 2023 | Mandatory independent audits, PAM solutions, EDR systems, and enhanced monitoring. | | Asset Management | General requirement | Complete, documented inventory of all information systems with owner, location, classification, support dates, and RTOs | November 1, 2025 | Must track every asset. No blind spots allowed. | | Encryption | Encryption with compensating controls allowed | Mandatory encryption of NPI in transit over external networks (no compensating controls) | November 1, 2024 (already passed) | Organizations must be compliant now. At-rest encryption still allows CISO-approved compensating controls. | | Penetration Testing | Annual testing or continuous monitoring | Annual penetration testing is mandatory (continuous monitoring no longer substitutes) | April 29, 2024 (180-day transition after Nov 1, 2023) | Must test from both inside and outside the network perimeter annually. | | Board Oversight | General oversight expected | Board must possess sufficient cybersecurity understanding and actively review reports, allocate resources | November 1, 2024 (already passed) | Boards can no longer delegate and ignore; must demonstrate active engagement. | | CISO Reporting | Periodic reporting | Annual written report to the board plus timely reports on significant issues | November 1, 2024 (already passed) | CISO must have direct board access and authority to escalate issues. | ## 4. Governance, Roles, and Personal Liability under NYDFS Part 500 The Second Amendment to Part 500 significantly tightens governance expectations. It strengthens the position of the [CISO](https://www.corbado.com/glossary/ciso), sets clearer expectations for board involvement, and introduces shared accountability between the CEO and [CISO](https://www.corbado.com/glossary/ciso) through the annual certification requirement. Cybersecurity is treated as an enterprise risk management topic, not just an IT function. ### 4.1 NYDFS Impact for CISOs Under the updated rules, the [CISO](https://www.corbado.com/glossary/ciso) must have sufficient authority, independence, and direct access to the board or equivalent governing body. They are expected to provide at least an annual written report on the cybersecurity program, material risks, and remediation plans, and to escalate significant issues in a timely manner. Decisions such as the use of compensating controls must be documented and periodically reviewed. ### 4.2 NYDFS Impact for Boards The board, in turn, must have enough cybersecurity understanding to review these reports, challenge assumptions, and ensure that adequate resources are allocated. This does not mean every board member is a technical expert, but the board collectively must be able to understand the presented risks and make informed decisions. ### 4.3 NYDFS Impact for CEOs The dual-signature requirement for CEO/CISO certification formalizes this shared responsibility. Both must attest annually that the organization complies with Part 500 based on actual program performance, not only documented intent. This increases the importance of reliable metrics, evidence, and internal verification. Informal or ad hoc tracking is unlikely to be sufficient if NYDFS asks how those certifications were justified ## 5. Who must comply with NYDFS Part 500? The regulation defines three primary tiers: “_Covered Entities_”, high-bar “_Class A Companies_” and “_Exempt Entities_” who do not fall under the regulations. ### 5.1 Who is considered a Covered Entity? Under the regulation, a _Covered Entity (roughly_ \~3,000+ companies) includes any individual or organization that holds, or is required to hold a - License - Registration - Charter - Certificate - Or similar authorization under New York’s [Banking](https://www.corbado.com/passkeys-for-banking), [Insurance](https://www.corbado.com/passkeys-for-insurance), or [Financial Services](https://www.corbado.com/passkeys-for-banking) Law. This definition is intentionally broad and brings a wide range of institutions into scope, such as: - State-chartered banks and trust companies (e.g. First National Bank of Scotia) - [Insurance](https://www.corbado.com/passkeys-for-insurance) providers across all lines (property and casualty, life and health, HMOs) (e.g. Otsego Mutual Fire [Insurance](https://www.corbado.com/passkeys-for-insurance) Company) - Mortgage brokers and other licensed lenders (e.g. ABC Mortgage Corp.) - Investment companies and budget planning organizations (Consumer Credit Counseling Service of Rochester) - Virtual currency firms operating under a BitLicense (e.g. BitOoda Digital LLC) - Holding companies and certain charitable foundations (e.g. Glenville Bank Holding Company) Importantly, the rule applies regardless of an organization’s size or whether it is also supervised by another regulator. In practical terms, if your business serves New York customers or operates under a New York-issued license, you should assume the NYDFS requirements apply to you. ### 5.2 What is a Class A Company under NYDFS Part 500? _Class A Companies_ represent the largest institutions (\~200–400 companies) within the NYDFS framework. An organization falls into this category if it earns at least **$20 million in annual revenue from its New York operations** _and_ meets one of the following thresholds: - Has **more than 2,000 employees**, or - Generates **over $1 billion in annual revenue worldwide** Being classified as a Class A Company comes with additional expectations. These institutions must undergo **independent cybersecurity audits every year** and implement more advanced technical safeguards, such as **privileged access management (PAM)** tools and **endpoint detection and response (EDR)** capabilities. These enhanced requirements reflect the elevated risk profile and operational scale of large financial organizations. ### 5.3 What is an exempt Company under NYDFS Part 500? _Exempt entities_ are organizations that fall under NYDFS oversight but qualify for one of the exemptions outlined in Section 500.19. These exemptions (granted based on factors such as size, business activity, or coverage under another entity’s cybersecurity program) relieve organizations from either most requirements (full exemptions) or only certain sections (limited exemptions). Limited exemptions commonly apply to smaller institutions: - with fewer than 20 employees - under $7.5 million in revenue - or less than $15 million in total assets and exclude them from selected governance and technical mandates while still requiring a core cybersecurity program. Full exemptions apply to entities - already covered by a parent company’s cybersecurity framework - organizations that do not operate information systems or handle nonpublic information - and certain specialized insurance or financial institutions identified in the regulation. ## 6. What were some recent NYDFS violations and what were the penalties? ### 6.1 Auto Insurance Companies (Aggregate Enforcement) **Date**: October 14, 2025 **Total Penalty**: $19,000,000 (Shared across 8 entities) **Individual Penalties:** - **Hartford Fire Insurance Co.:** $3 million - **American Family Mutual / Midvale Indemnity:** $2.8 million - **Farmers Insurance Exchange:** $2.775 million - **Liberty Mutual Insurance Co.:** $2.7 million - **Infinity Insurance Co.:** $2.25 million - **Metromile Insurance Co.:** $2 million - **State Auto Property & Casualty:** $2 million - **Hagerty Insurance Agency:** $1.85 million **Key Policy Violations:** - **Failure to Implement MFA (Section 500.12):** Companies failed to enforce Multi-Factor Authentication for online quoting systems. This policy gap allowed attackers to use [credential stuffing](https://www.corbado.com/glossary/credential-stuffing) to access sensitive driver data. - **Failure to Report (Section 500.17):** Several entities (notably Farmers and Infinity) failed to notify NYDFS within the mandatory 72-hour window after determining a cybersecurity event had occurred. - **Inadequate Risk Assessment (Section 500.09):** The companies failed to adequately assess the risks associated with public-facing applications. ### 6.2 Healthplex, Inc. **Date**: August 14, 2025 **Penalty**: $2,000,000 **Key Policy Violations:** - **Lack of MFA (Section 500.12):** During a migration to Office 365, the company failed to enable MFA for web-based email access. This allowed a [phishing](https://www.corbado.com/glossary/phishing) attack to compromise a 20-year employee's account. - **Data Retention Failure (Section 500.13):** The compromised email account contained over **100,000 emails** dating back several years. NYDFS penalized the company for lacking a policy to dispose of Non-Public Information (NPI) that was no longer necessary for business operations. - **False Certification (Section 500.17):** The company certified compliance annually (2018–2022) despite these material security gaps. ### 6.3 Block, Inc. (Cash App, Square) **Date**: April 10, 2025 **Penalty**: $40,000,000 (Combined AML and Cybersecurity penalty) **Key Policy Violations:** - **Governance Failures (Sections 500.03 & 500.04):** The Board of Directors failed to adequately review and approve cybersecurity policies. - **Inadequate Oversight:** The investigation found a lack of management oversight to ensure that written cybersecurity policies were effectively implemented in practice, rather than just existing on paper. - **Access Privileges (Section 500.07):** The company failed to strictly limit user access privileges, creating a high-risk environment. ### 6.4 PayPal, Inc. **Date**: January 23, 2025 **Penalty**: $2,000,000 **Key Policy Violations:** - **Ineffective Access Controls (Section 500.12):** [PayPal](https://www.corbado.com/blog/paypal-passkeys) allowed MFA to be **optional** rather than mandatory for certain accounts. Threat actors exploited this to access tax forms (1099-Ks) containing unmasked Social Security numbers. - **Cybersecurity Personnel & Training (Section 500.10):** The team implementing the system change was not adequately trained on the company's own security policies. - **Policy Implementation Failure (Section 500.03):** Although a policy for testing new code existed, the engineering team misclassified a software update. This caused the update to bypass required security testing, a direct violation of internal governance. 6.5 Genesis Global Trading, Inc. **Date**: January 12, 2024 **Penalty**: $8,000,000 (Surrender of BitLicense + Fine) **Key Policy Violations:** - **Inadequate Risk Assessment (Section 500.09):** The company failed to conduct comprehensive risk assessments to accurately identify cybersecurity risks specific to its business model. - **Compliance Program Failure:** The penalty was levied largely because the company’s compliance program was deemed "non-functional," demonstrating a disregard for regulatory requirements. ### 6.6 First American Title Insurance Company **Date**: November 28, 2023 **Penalty**: $1,000,000 **Key Policy Violations:** - **Access Control Failure (Section 500.07):** A design defect allowed documents to be accessed by simply changing the URL. The penalty addressed the failure to have access controls capable of preventing this simple bypass. - **Data Classification (Section 500.03):** The company failed to classify the data within this application as "Non-Public Information" (NPI). Consequently, the data did not receive the higher level of security protections required by policy. ## 7. What Systems require MFA under NYDFS Part 500? Multi-factor authentication (MFA) is strictly required for: - **Any remote access** to the organization’s systems and internal networks. - **Cloud-based SaaS platforms**, such as [Microsoft 365](https://www.corbado.com/blog/microsoft-passkeys-best-practices-analysis), Google Workspace, or Salesforce. - **All privileged accounts**, whether accessed internally within the network or externally. - **Third-party applications** and any form of external vendor or supply chain access. - **Customer Access portals**, specifically including **Consumer Identity and Access Management (CIAM)** systems and **Identity Providers (IdPs)** that secure public-facing applications where Nonpublic Information (NPI) is accessible. Importantly, MFA requirements cannot be delegated to individual users; these controls must be **enforced centrally** by the organization to ensure compliance across both workforce and customer identity perimeters. ## 8. What Types of MFA does NYDFS consider weak? In its **December 2021 industry letter**, NYDFS cautioned organizations about relying on weaker MFA methods, noting that they are increasingly targeted by attackers: - [**SMS One-Time Passwords**](https://www.corbado.com/blog/sms-cost-reduction-passkeys/sms-based-authentication-explained): exposed to SIM-swaps and message interception - [**OTP Codes (e.g., Google Authenticator, Microsoft Authenticator**](https://www.corbado.com/glossary/authenticator-app) **etc.)**: can be harvested through [phishing](https://www.corbado.com/glossary/phishing) or other interception techniques - **Push-based MFA**: prone to push-fatigue attacks and social engineering NYDFS advises institutions to adopt **phishing-resistant MFA solutions** (passkeys) and regularly validate their effectiveness through **penetration testing, audits and vulnerability assessments.** ## 9. What is Phishing-Resistant MFA? Phishing-resistant MFA relies on cryptographic credentials, most prominently passkeys, instead of passwords or one-time codes that can be intercepted, replayed, or tricked out of users. Passkeys are [FIDO2](https://www.corbado.com/glossary/fido2)/WebAuthn-based credentials that live on a user’s device (or secure cloud-backed keychain) and never expose shared secrets to the service. During login, the website proves its identity, the device signs a challenge with a private key, and the user confirms the action with a biometric or local PIN. Because nothing reusable ever leaves the device, attackers cannot steal or replay the credential, even if they control the network or send perfectly spoofed phishing pages. These methods are designed to be resistant to common attack vectors such as man-in-the-middle and reverse-proxy attacks, SIM-swapping, push-notification fatigue, [credential stuffing](https://www.corbado.com/glossary/credential-stuffing), and classic credential phishing. ## 10. How can Corbado help? ### 10.1 What NYDFS Challenges does Corbado solve? **NYDFS Part 500 significantly raises the bar in three critical areas:** requiring universal MFA coverage for all access points, mandating phishing-resistant authentication methods, and demanding rigorous evidence to support annual CEO/CISO certification. **The Operational Challenge:** In practice, meeting these standards is difficult because authentication landscapes are often fragmented. Companies are stuck juggling legacy IAM systems, custom applications, and third-party platforms, each with inconsistent UX and limited MFA capabilities. **The Corbado Solution:** Corbado resolves this friction by deploying a **passkeys-first authentication overlay**. This layer sits on top of existing infrastructure, instantly upgrading legacy stacks to support phishing-resistant MFA across web and mobile without requiring a backend overhaul. **Compliance & Oversight:** Beyond the login, Corbado’s “Passkey Insights” provide the audit trail necessary for compliance. By visualizing login success rates, MFA adoption curves, and potential bypass attempts, it gives risk teams the concrete data needed for NYDFS examinations and enables [CISOs](https://www.corbado.com/glossary/ciso) to sign annual [attestations](https://www.corbado.com/glossary/attestation) with confidence. ### 10.2 Why is Corbado the Right Choice for NYDFS Compliance? Corbado is built specifically for large consumer and workforce login environments in regulated sectors, where strong authentication, auditability, and user experience all matter at the same time. The platform focuses on passkeys and other [FIDO2](https://www.corbado.com/glossary/fido2)/WebAuthn-based methods to deliver phishing-resistant MFA, while still supporting hybrid setups where legacy factors remain in place during the transition. For compliance teams, Corbado’s detailed telemetry, event logging, and reporting make it easier to demonstrate that controls are not only designed but operating effectively, an essential point under NYDFS. Corbado operates under an [ISO 27001](https://www.corbado.com/blog/cybersecurity-frameworks)–certified ISMS and holds [SOC 2](https://www.corbado.com/blog/cybersecurity-frameworks) Type II [attestation](https://www.corbado.com/glossary/attestation), aligning its own security posture with the expectations placed on financial institutions. Combined with experience from [large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) deployments and a strong emphasis on adoption and UX, this makes Corbado a pragmatic choice for organizations that want to meet NYDFS requirements and improve their authentication experience at the same time. ## 11. Conclusion NYDFS Part 500 has turned MFA into a board-level accountability topic: universal MFA, phishing resistance, and hard evidence are now non-negotiable. It’s no longer enough to “have MFA somewhere”, you need to know which factors you use, where your gaps are, and how you can prove that your controls actually work. Passkeys and other [FIDO2](https://www.corbado.com/glossary/fido2)/WebAuthn methods are the clearest path to meeting NYDFS expectations while cutting fraud and user friction. Corbado helps by layering passkeys and phishing-resistant MFA on top of existing systems and by providing the telemetry CEOs, [CISOs](https://www.corbado.com/glossary/ciso), and boards need for credible certifications and audits. For organizations under NYDFS, this turns MFA from a scattered control into a defensible, data-backed strategy. 1. **What are the new additions to NYDFS Part 500 and until when do they have to be met?** The Second Amendment adds universal MFA, stricter governance and reporting, Class A requirements, detailed asset inventories, stronger encryption, and mandatory annual pen tests, with key remaining deadlines, especially for MFA and asset inventory, falling on November 1, 2025 (others already in force from 2023–2024). 2. **Who is impacted by the changes to NYDFS Part 500?** All NYDFS-regulated Covered Entities, such as New York–licensed banks, insurers, lenders, and virtual currency firms, are impacted, with extra obligations for large Class A companies and limited exemptions for some smaller or dependent entities. 3. **What types of MFA can be used to stay compliant with NYDFS Part 500?** To stay compliant, organizations should rely on strong, phishing-resistant MFA such as passkeys and other FIDO2/WebAuthn [authenticators](https://www.corbado.com/glossary/authenticator), [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys), and device-bound biometrics, using weaker methods like SMS, OTP, or push-based codes only in carefully controlled or transitional scenarios. ## Frequently Asked Questions ### Which specific systems must have MFA enforced under NYDFS Part 500 by November 2025? Remote access, cloud SaaS platforms such as Microsoft 365 and Google Workspace, all privileged accounts, third-party vendor access and customer-facing CIAM portals all require MFA. Organizations must enforce these controls centrally rather than delegating them to individual users, covering both workforce and customer identity perimeters. ### What real fines have companies paid for NYDFS MFA compliance failures? Eight auto insurers collectively paid USD 19 million in October 2025 for failing to enforce MFA on public-facing quoting systems, enabling credential stuffing attacks on driver data. Block Inc. (Cash App) paid USD 40 million in April 2025 and Healthplex paid USD 2 million in August 2025 partly for disabling MFA during an Office 365 migration. ### Can authenticator app OTPs or SMS codes satisfy the NYDFS phishing-resistant MFA requirement? No. NYDFS identified SMS OTPs, authenticator app codes and push-based MFA as weak in its December 2021 industry letter. These methods are vulnerable to SIM-swapping, phishing interception and push-notification fatigue. NYDFS advises adopting passkeys and other FIDO2/WebAuthn credentials, validated through penetration testing and audits. ### What exemptions allow a company to avoid the NYDFS Part 500 universal MFA requirement? Limited exemptions apply to organizations with fewer than 20 employees, under USD 7.5 million in annual revenue or less than USD 15 million in total assets. Full exemptions cover entities already under a parent company's compliant cybersecurity program. Even exempt entities must still maintain a core cybersecurity program. ### What evidence must a CISO produce to support the NYDFS annual compliance certification? The CISO must produce an annual written report to the board covering the cybersecurity program, material risks and remediation plans. The dual CEO/CISO certification requires verifiable data supporting compliance attestations, with documentation retained for 5 years. NYDFS specifically notes that informal or ad hoc tracking is unlikely to satisfy examination scrutiny. ## 12. Frequently Asked Questions About NYDFS Part 500 ### 12.1 What is the new MFA requirement for November 2025? The regulation mandates that by November 1, 2025, Multi-Factor Authentication (MFA) must be implemented for any individual accessing any information system. This eliminates previous loopholes. ### 12.2 Why does NYDFS consider SMS and OTPs "weak" MFA? In its industry guidance, NYDFS has flagged SMS, One-Time Passwords (OTPs), and push notifications as vulnerable to modern attacks like SIM-swapping, message interception, and push fatigue. The Department strongly advises moving toward "phishing-resistant" MFA, such as passkeys (FIDO2/WebAuthn), which use cryptographic credentials that cannot be stolen or replayed by attackers. ### 12.3 How does the Second Amendment change personal liability for executives? The update transforms cybersecurity from an IT issue into a personal liability for leadership. The annual compliance certification now requires dual signatures from both the CEO and CISO. These executives must attest to compliance based on actual data and evidence; signing this certification without valid proof or while knowing of gaps can lead to individual regulatory enforcement and penalties. ### 12.4 Who qualifies for an exemption under Part 500? Limited exemptions are available for smaller organizations that have fewer than 20 employees, less than $7.5 million in annual revenue, or under $15 million in total assets. While these entities are relieved from certain sophisticated governance and technical mandates, they must still maintain a core cybersecurity program. Full exemptions generally apply only to entities already covered by a parent company’s compliant program. ### 12.5 What additional requirements do Class A Companies face? Class A Companies, defined as having over $20 million in NY revenue plus significant scale ($1B+ global revenue or 2,000+ employees), must meet higher security standards. These include mandatory independent annual audits, the implementation of Privileged Access Management (PAM) solutions, and the deployment of Endpoint Detection and Response (EDR) systems to monitor for malicious activity.