Two months after the New York Department of Financial Services (“NYDFS”) updated its Frequently Asked Questions (“FAQs”), which we wrote about here, NYDFS has released updated FAQs on multifactor authentication (“MFA”) that further clarify 23 NYCRR § 500.12. As we previously reported, the FAQs from December 2025 provided prescriptive guidance, including clarifications on technical requirements […]
About Kate Hanniford
NYDFS Releases New Prescriptive FAQs on MFA
The New York Department of Financial Services (NYDFS) has released a new set of Frequently Asked Questions (FAQs 18–23) under 23 NYCRR Part 500, reinforcing its position that multifactor authentication (MFA) remains a critical component of a covered entity’s cybersecurity program. These FAQs provide highly prescriptive guidance, including clarifications on technical requirements for the “possession” […]
HIPAA Security Rule: Still on Track for Finalization
Since the HHS Office for Civil Rights’ (OCR) publication of a proposed rule to overhaul the HIPAA Security Rule in January 2025, many in the health care and privacy community have wondered whether the rule would quietly fade away. Some even hoped it might be “dead in the water.” However, despite sharp criticisms and industry […]
NYDFS Issues Guidance on Managing Risks Related to Third-Party Service Providers
On October 21, 2025, the New York Department of Financial Services (“NYDFS”) published an Industry Letter (the “Letter”) outlining guidance on managing risks related to third-party service providers (“TPSPs”). NYDFS recognizes that as covered entities become more reliant on TPSPs, managing TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program.” The Letter outlines […]
SEC Withdraws Proposed Cyber-Related Rule Applicable to Broker-Dealers And Signals SolarWinds Settlement on the Horizon
The Securities and Exchange Commission (SEC) recently announced the withdrawal of several Biden-era regulations, including a proposed rule that would have required a broad range of platforms and financial intermediaries (such as broker-dealers, clearing agencies, national securities exchanges, and transfer agents) to adopt policies and procedures that address cybersecurity risks. The proposed rule also would […]