Description
Covered entities must file annual certifications of compliance with NYDFS Cybersecurity Regulation (23 NYCRR Part 500), including the November 1, 2025 amendments requiring expanded MFA for all information system access and written asset inventory procedures. This is the first certification cycle that includes the final tranche of Second Amendment requirements.
Requirements
- Complete annual cybersecurity certification filing
- Verify expanded MFA for all information system access
- Document written asset inventory procedures
- Review compliance with Second Amendment requirements
- Submit certification to NYDFS portal
Applicable To
Banks licensed in New YorkInsurance companies in New YorkFinancial services firms in New YorkMortgage companies operating in New York
Penalty Information
âš NYDFS can impose civil monetary penalties, issue consent orders, and revoke licenses for non-compliance.