Categories: Corporate Compliance, Cybersecurity, Privacy and Security Law
,

As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance.

Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.

Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.

The Amended Regulation applies to “covered entities,” i.e., DFS-regulated entities including partnerships, corporations, branches, agencies, and associations—indeed, “any person”—operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York’s Banking Law, Insurance Law, or Financial Services Laws.

Notably, health maintenance organizations (HMOs) and continuing care retirement communities (CCRCs) are considered covered entities. NYDFS-authorized New York branches, agencies, and representative offices of out-of-country foreign banks are also covered entities subject to the requirements of Part 500.

While some requirements took effect almost immediately in late 2023, others were delayed to 2024 and 2025. The final set of cybersecurity requirements that became effective November 1 require covered entities to:

  • expand multifactor authentication (MFA) to include all individuals accessing information systems; and
  • implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of information systems.

Multi-Factor Authentication (MFA)

The amended Section 500.12 requires covered entities to use multi-factor authentication (MFA) for any individual accessing any information system of a covered entity—regardless of location, type of user, and type of information contained on the Information System being accessed (FAQ 18). Internal networks that would require the use of MFA include email, document hosting, and related services, whether on-premises or in the cloud, such as Office 365 and G-Suite (FAQ 19).

Definition

MFA is defined in the regulation as authentication through verification of at least two of the following types of authentication factors:

  • knowledge factors, such as a password, passphrase, or personal identification number (PIN);
  • possession factors, such as a hardware token, authentication app, or smartcard; or
  • inherence factors, such as a biometric characteristic (fingerprints, facial recognition, or other biometric markers.

Artificial Intelligence and Other Risks

Note that while the definitions include passwords and biometric characteristics as verifiers, caution should be taken, as AI deepfakes may now pose a risk to biometric-based systems. Indeed, NYDFS issued a related letter regarding AI cybersecurity risks in October 2024. The October 2024 letter does not impose new requirements with respect to the Amended Regulation, yet states:

While Covered Entities have the flexibility to decide, based on their Risk Assessments, which authentication factors to use, not all forms of authentication are equally effective. Given the risks…Covered Entities should consider using authentication factors that can withstand AI-manipulated deepfakes and other AI-enhanced attacks by avoiding authentication via SMS text, voice, or video, and using forms of authentication that AI deepfakes cannot impersonate, such as digital-based certificates and physical security keys. Similarly, instead of using a traditional fingerprint or other biometric authentication system, Covered Entities should consider using an authentication factor that employs technology with liveness detection or texture analysis to verify that a print or other biometric factor comes from a live person. Another option is to use authentication via more than one biometric modality at the same time, such as a fingerprint in combination with iris recognition, or fingerprint in combination with user keystrokes and navigational patterns. [Footnotes omitted].

The NYDFS July 2025 Guidance on the MFA requirements stresses the need “for organizations to understand the trade-offs associated with each method in order to make informed, risk-based decisions.” The July 2025 Guidance discusses the tradeoffs with respect to SMS Authentication, App-based Authentication (with and without number matching), and Token-based Authentication. Note that a covered entity’s Chief Information Security Officer (CISO) may approve in writing the use of reasonably equivalent or more secure controls, to be reviewed at least annually.

Limited Exemptions

The covered entity may qualify for a limited exemption pursuant to section 500.19(a), Section 500.19(a) provides limited exemptions for covered entities with:

  • fewer than 20 employees;
  • less than $7,500,000 in gross annual revenue in each of the last three years; or
  • less than $15,000,000 in year-end total assets.

Where one of the limited exemptions applies, MFA should nevertheless be used for:

  • remote access to the covered entity’s information system;
  • remote access to third-party applications, including but not limited to those that are cloud-based, from which nonpublic information is accessible; and
  • all privileged accounts other than service accounts that prohibit interactive login.

Asset Inventory of Information Systems

Section 500.13(a) requires covered entities—as part of their cybersecurity programs—to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems. At a minimum, policies and procedures must include

  • a method to track specified key information for each asset, including, as applicable:
    • the owner;
    • the location;
    • classification or sensitivity;
    • support expiration date;
    • recovery time objectives; and
  • the frequency required to update and validate the covered entity’s asset inventory.

Section 500.13(b) also requires covered entities to include policies and procedures for the secure disposal on a periodic basis of any nonpublic information (identified in section 500.1(k)(2)-(3)) that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

Enforcement

The regulation is to be enforced by the superintendent. Section 500.20 states that the failure to act to satisfy an obligation shall constitute a violation, although the superintendent is directed, when assessing penalties, to consider elements including cooperation, good faith, history of prior violations, the number of violations, and the extent of harm to consumers. In a recent example, in August, NYDFS secured a $2 million settlement with a health insurance provider for violations of Part 500.

Takeaways

Implementation

Covered entities must:

  • implement MFA for any individual accessing any information systems of a covered entity or meet the requirements of a limited exemption (fewer than 20 employees, less than $7,500,000 in gross annual revenue in each of the last three years; or less than $15,000,000 in year-end total assets). Covered entities should understand the various methods of MFA in order to make informed, risk-based decisions regarding their use; and
  • implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems, with a method to 1) track key information and 2) the frequency needed to update and validate the asset inventory
  • The CISO may approve alternative controls in writing, if these are reasonably equivalent or more secure, and reviewed annually.

Compliance Filing

Covered entities must:

  • submit to NYDFS an annual notice regarding compliance with Part 500—through a Certification of Material Compliance or an Acknowledgment of Noncompliance—by April 15 (covers compliance during the previous calendar year), unless fully exempt and a Notice of Exemption is submitted (FAQ 29);
  • file separate annual notifications, if holding more than one license;
  • keep all data and documentation supporting their annual notifications for 5 years and provide that information to the Department upon request;
  • notify NYDFS of a cybersecurity incident no later than 72 hours after determining that one has occurred (FAQ 20). May have to notify even if the attack is unsuccessful (FAQ 21) or occurs at a third-party service provider (FAQ 23).

Third Parties

Covered entities should ensure compliance with regulations pertaining to third-party service providers, including:

  • Implementing policies with respect to third-party service providers (Section 500.11).
  • Undertaking a thorough due diligence process in evaluating the cybersecurity practices of third-party providers; the FAQs state that relying on the latter’s certification of material compliance is insufficient.
  • Cybersecurity governance: If the CISO is employed by a third-party service provider, the covered entity shall retain responsibility and provide direction and oversight (Section 500.4).
  • Making a risk assessment regarding appropriate controls for third-party service providers (Section 511(b)).

Note that NYDFS issued “Guidance on Managing Risks Related to Third-Party Service Providers” in October 2025, a Part 500 checklist, an exemption flowchart, and more. Developments are fast-paced in the cybersecurity world and companies have a lot to lose if they pay insufficient attention to all of these new legal requirements, as they set a new floor. While meeting all of these (and other) cyber requirements may not be easy, this remains a space in which an ounce of prevention may well be worth a pound of cure.

EBG will continue to monitor developments in this area. If you have questions or need assistance in implementation of the Amended Regulations within your organization, please reach out to the authors or the EBG attorney with whom you work.

Epstein Becker Green Staff Attorney Ann W. Parks assisted with the preparation of this post.

Tags: Cybersecurity, data security, HMOs
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.