New York DFS requires all 23 NYCRR Part 500 covered entities to complete second-amendment upgrades by 1 November 2025, including annual board certifications, privileged access monitoring, and ransomware-ready incident response.
Executive briefing: The New York State Department of Financial Services’ 2023 second amendment to its Cybersecurity Regulation (23 NYCRR Part 500) entered into force on 1 November 2023 with staged milestones. The final compliance date of 1 November 2025 now closes the remaining transition window for all covered entities, ending temporary relief for items such as board-level certification, privileged access governance, and ransomware response protocols.
Controls due by 1 November 2025
- Board oversight. Covered entities must obtain annual board or senior officer certification affirming compliance, backed by documented risk assessments, materiality determinations, and remediation plans.
- Privileged access hardening. Class A companies have to run independent penetration tests, implement password vaulting or multi-factor authentication for privileged accounts, and log privileged sessions for continuous monitoring.
- Security operations uplift. 24×7 monitoring through internal staff or managed services must be demonstrable, along with incident response playbooks that explicitly cover ransomware and extortion events.
November execution priorities
- Evidence readiness. Align GRC systems so audit trails for risk assessments, gap remediation, and board briefings are exportable for DFS examinations and certification sign-off.
- Ransomware tabletop drills. Validate containment, legal escalation, OFAC screening, and communication playbooks against the amended incident response requirements.
- Continuous monitoring proofs. Capture SOC metrics—including alert coverage, mean time to detection, and escalation evidence—to show 24×7 operations are either insourced or under contract with a qualified provider.
Sources