What New York’s Cybersecurity Regulation Means for Your FI in 2026

When New York State’s cybersecurity regulation (23 NYCRR Part 500) took effect in 2017, it changed how financial institutions (FIs) talked about cybersecurity. Multi-factor authentication wasn’t standard. Asking vendors detailed questions about encryption, incident response, or subcontractors felt excessive — sometimes even uncomfortable. 

Eight years later, those questions are routine. Over that time, the New York Department of Financial Services (NYDFS) has continued to raise the stakes — actively enforcing Part 500 with multi-million-dollar penalties and rolling out sweeping amendments in 2023, with the final requirements taking effect in November 2025.  

These weren’t minor adjustments. They reflected a shift in how NYDFS expects institutions to govern cybersecurity risk — especially vendor risk — with clearer accountability, tighter reporting timelines, and far less room for interpretation.

What began as baseline cyber hygiene has evolved into a prescriptive, risk-based framework that raises expectations around governance, incident response, access controls, and board oversight for FIs, including banks, credit unions, mortgage companies, and insurers.

Beyond New York, the changes offer a signal of where state-level cybersecurity regulation may be headed more broadly, as states step in to define clearer expectations amid shifting federal priorities.

Let’s take a closer look at New York’s cybersecurity rule for the financial services industry.

Related: Join our regulatory experts each month as they break down the latest rule changes, industry news, and enforcement trends, and what they mean for your institution. Get regulatory updates.

What is the NYDFS Cybersecurity Regulation?

Part 500 established comprehensive cybersecurity requirements for financial services companies operating in New York — everything from cybersecurity policies and chief information security officer (CISO) designations to penetration testing and encryption standards.

The regulation also underscores the cyber risks posed by vendors, introducing extensive third-party requirements — from documented access-control expectations to encryption standards for any nonpublic data they handle.

Since then, NYDFS has made sweeping amendments Part 500 including: 

• Comprehensive board oversight. Board members must actively oversee cybersecurity. They must understand the risks cyber incidents pose, approve policies annually, and challenge management’s decisions as needed.
• Increased technical standards. Multi-factor authentication (MFA) is mandatory for all privileged accounts and remote access; annual penetration testing must occur on schedule; and encryption standards must be clearly defined. FIs also need to maintain a complete, current asset inventory — because you can't defend something if you don’t know it exists.
• Prompt vendor incident reporting. Cyber events involving third-party vendors must be reported to NYDFS within 72 hours based on when the incident occurs, not when the vendor decides to share the news.
  

Implementation began in November 2023, with requirements phased in over the last two years.

Related: TPRM 101: What is a Critical Vendor?

What does New York’s cybersecurity regulation look like today?  

On November 1, 2025, the final parts of the amendments took effect, focusing on two non-negotiable elements:

1. Mandatory MFA for all covered entities: Regardless of size or complexity, every covered institution must implement MFA across its environment.
2. Comprehensive data asset inventory: Covered entities must maintain a detailed, continuously updated inventory that tracks asset owners, locations, data classifications, retention dates, and Recovery Time Objective (RTO).

The implementation of these final requirements under New York’s cybersecurity regulation for financial services companies marks the completion of one of the most significant state-level rulemakings in years. 

For FIs in New York and across the country, the final amendments make it clear: cybersecurity requires a strong vendor management program, active board oversight, and ongoing vigilance in a fast-changing threat environment.

Related: TPRM 101: What is a Critical Vendor?

Bottom line: The NYDFS is formalizing what security teams have known for years: if you don't know your data, where it lives, and how critical it is, you can't protect it. Keeping track of your internal and vendor data is no longer a spreadsheet exercise — it requires a proactive approach and the right tools to manage it properly.

What are the requirements and best practices outlined in the NYDFS Cyber Regulation?

In October 2025, the NYDFS released guidance to help FIs better manage vendor risks. The core message is straightforward for FIs working with third-party providers: you can’t outsource cybersecurity responsibilities. 

Like the Interagency Guidance on Third-Party Relationships from federal regulators, the NYDFS regulation guidance cites a vendor lifecycle approach, highlighting a few key areas:

Vendor questionnaire

FIs must know their vendors in and out: how they manage access and MFA, their encryption standards for data at rest and in transit, and how fast they will communicate when something goes wrong. They must prove compliance with Part 500 or risk putting their systems — and your FI — in jeopardy.

Other critical vendor questions: 

• Where is your data stored, and could it cross borders? 
• Who are their subcontractors (fourth-party vendors), and can you reject them if needed? 
• What is their artificial intelligence (AI) policy? Can your customer data feed their models without your knowledge?

Due diligence

FIs must classify vendors by risk. For example, a company that manages IT infrastructure isn't the same as the one that cleans the offices. Critical vendors get high-scrutiny treatment.

The NYDFS guidance recommends evaluating vendors based on their system access, cybersecurity history, and whether they maintain proper audit trails. Institutions shouldn't overlook downstream providers — those "fourth parties" who could create risk they never saw coming. A standardized questionnaire helps, but FIs need qualified personnel to interpret responses and ask the right follow-up questions.

Related: 5 Business Continuity Red Flags in Vendor Relationships and How to Address Them

Contracts

Vendor agreements should deliver real consequences when things go wrong — not vague promises to “work together.” Think early termination rights, mandatory remediation deadlines, and clear accountability. FIs need the legal authority to say "no" when vendor wants to use a subcontractor that doesn’t meet the FI’s security and risk requirements.

The guidance recommends baseline provisions covering:

Related: TPRM 101: What Is Contract Management for Financial Institutions?

Ongoing monitoring

If an FI has a pre-contract assessment, that’s just the beginning. FIs will need to repeat this step regularly. Ongoing monitoring should cover security attestations (SOC 2, ISO 27001), penetration test results, vulnerability management updates, and verification that vendors have addressed past issues.

The guidance also underscores the importance of integrating third-party risk into incident response and business continuity planning. Institutions should evaluate how quickly they could switch to alternative providers if something goes wrong and test those plans with their vendors.

Related: Business Continuity Planning and Disaster Recovery: The Differences

Termination

When a vendor relationship ends, FIs can’t simply walk away. NYDFS is explicit about offboarding expectations: access must be fully revoked (including system accounts, SSO, and APIs), data must be securely returned or destroyed with documented certification, and institutions must account for residual access points outside standard systems.

After termination, conduct a final risk review, document everything, and incorporate lessons learned into future vendor relationships.

The guidance also makes clear that “risk-based” doesn’t mean one-size-fits-all. Community banks and credit unions don’t need to review an office supply vendor the same way they would a core banking system provider.

Related: How to Break Up with Your Vendor

What are the penalties for noncompliance?

The NYDFS is serious about cybersecurity enforcement under Part 500, with penalties ranging from $1 million to $4.5 million. Recent enforcement includes PayPal’s $2 million penalty (January 2025) for staffing, training, access controls, and MFA gaps that exposed customer data.

Other notable cases include: a vision insurer paid $4.5 million (October 2022); an insurance company paid $1 million (November 2023) for access control failures; and a mortgage lender settled for $1.5 million (March 2021) for delayed breach reporting and missing risk assessments.

Related: Financial Services Enforcement Action Tracker 

Does the regulation only apply to New York FIs?

If your organization is licensed, registered, or supervised by the New York Department of Financial Services, Part 500 applies — regardless of where you’re headquartered. It’s not about simply having a customer in New York. It’s about regulatory oversight. 

If you provide regulated services such as mortgage lending or servicing, insurance, banking or trust services, money transmission or payments (including virtual currency activity), or operate as a licensed nonbank financial services provider in New York — and NYDFS could examine or fine you — you’re likely in scope.

Related: Ghosted by a Vendor? Here’s How to Get Due Diligence Documents

The New York Effect is real — and it’s just the beginning  

New York remains an outlier in how far it has gone — but not in where it’s pointing. As states take a more active role in regulation and cybersecurity oversight, Part 500 has effectively become a reference point for what regulators expect FIs to be able to demonstrate and defend.

That influence extends beyond regulated institutions. Vendors serving financial services are increasingly aligning their security practices with Part 500 expectations, meaning institutions nationwide are seeing higher baseline controls even where the rule doesn’t technically apply. In practice, that looks like vendors being prepared to document MFA, encryption, incident response capabilities, subcontractor controls, and emerging governance areas like AI use.

What began as a New York–specific regulation is now shaping a broader industry standard. The 2023 amendments raised the bar, the phased implementation through 2025 clarified how to meet it, and vendors are responding because their customers — and their customers’ regulators — expect it. The result is more consistent vendor security practices, clearer accountability, and stronger contractual protections around data and technology risk.

The takeaway is straightforward: what happens in New York doesn’t stay in New York. It influences how cybersecurity risk is defined, evaluated, and enforced across the financial services ecosystem.

Are your FI’s cyber defenses strong? Learn how Ncyber delivers fast, smart cybersecurity evaluations to help you mitigate emerging threats and compliance risks.