Today, on May 1, 2025, additional enhanced cybersecurity controls required by the Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) (the “Second Amendment”) take effect. Although the Second Amendment was originally adopted in November of 2023, NYDFS established a multi-year rollout of the Second Amendment’s requirements, implementing several tranches from November of 2023 through November of 2025. The enhanced requirements that take effect today focus on vulnerability scanning, access controls, and monitoring and logging:
Section 500.5(a)(2) — Vulnerability Scanning
- Covered Entities are now required to conduct automated vulnerability scans and manual review of any systems not otherwise covered by automated scans; and
- The cadence for reporting and remediating vulnerabilities identified by these automated vulnerability scans or manual reviews should be established in the covered entity’s risk assessment.
Section 500.7 — Access Controls
Covered Entities are now required to have prescriptive access control protocols, including the following:
- Limiting access to information systems that provide access to nonpublic information to only “need to know” individuals;
- Implementing enhanced privileged account access requirements, including limiting the number of privileged accounts, and use of privileged accounts to only when performing privileged functions;
- Reviewing (at least annually) access controls/privileges and removing or disabling stale accounts;
- Disabling or securely configuring all remote access control protocols;
- Promptly terminating access of former employees and personnel; and
- Implementing a reasonable written password policy.
In addition, certain large Covered Entities known as “Class A” companies must also:
- Implement a privileged access management solution;
- Monitor privileged access activity; and
- Implement an automated method for blocking commonly used passwords.
Section 500.14(a)(2) and (b) — Monitoring and Logging
- Covered Entities must now specifically implement risk-based controls designed to protect against malicious code, including monitoring and filtering web traffic and blocking malicious email content; and
- Class A companies must also implement the following tools (or reasonably equivalent / more secure compensating controls approved by the CISO in writing):
- An endpoint detection and response tool; and
- A centralized logging and security event alerting tool.
The final grouping of the Second Amendment’s enhanced regulations will take effect on November 1, 2025. These additional regulations will focus on expanding multi-factor authentication (MFA) requirements for Covered Entities, removing the small business exception to the MFA requirement, and requiring that Covered Entities maintain a complete asset inventory. This asset inventory must include a method to track key information for each asset, including the “(i) owner; (ii) location; (iii) classification or sensitivity; (iv) support expiration date; and (v) recovery time objectives.”
Alston & Bird’s Privacy, Cyber, and Data Strategy Team and Litigation & Enforcement Team will continue to monitor this space as NYDFS implements further enhanced cybersecurity controls.
