Are you operating as a financial services business? Are you aware of the new cybersecurity rules that will soon apply to New York–regulated financial firms? If you are a financial services business and are unaware of the upcoming compliance date for New York’s cybersecurity requirements, please mark your calendar. On November 1, 2025, the final phase of compliance under the New York Department of Financial Services’ (DFS) 23 NYCRR Part 500 (Cybersecurity Regulation) will take effect. These requirements stem from the second amendment to the Cybersecurity Regulation (Second Amendment), which was originally adopted in 2017 and has been rolling out in phases since the Second Amendment was finalized in November 2023.
Compliance is mandatory for firms licensed or supervised by DFS. The Cybersecurity Regulation applies broadly to financial services companies regulated by DFS, including those engaged in banking, insurance, mortgage lending and servicing, money transmission, and virtual currency (i.e., crypto) activities, among others. With ransomware, extortion, and third-party breaches continuing to rise, DFS has made it clear that cybersecurity is now a core compliance obligation.
From 2017 to Today
The DFS Cybersecurity Regulation was first issued in 2017, making New York the first state in the country to impose binding cybersecurity standards across the financial services sector operating within its jurisdiction. Early requirements included appointing a Chief Information Security Officer (CISO), adopting multi-factor authentication (MFA) requirements, performing regular risk assessments, maintaining records of audit trails, and reporting cybersecurity events within 72 hours of discovery.
Since then, the cyber threat landscape has changed significantly, with ransomware, supply-chain compromises, and cloud vulnerabilities putting pressure on financial firms. In response, DFS adopted the Second Amendment to the 2017 Cybersecurity Regulation, effective November 1, 2023. The amendment introduced stricter governance, technical, and reporting standards, with staggered compliance dates designed to give firms time to adapt. The final compliance phase, which starts on November 1, 2025, will impose the most significant cybersecurity requirements to date.
For additional background on annual compliance submissions under the Cybersecurity Regulation, see Katten’s 2025 advisory.
Background on the Cybersecurity Regulation
The Cybersecurity Regulation is structured as a risk-based framework, not a one-size-fits-all checklist. Each covered entity must establish a cybersecurity program that protects sensitive information, detects and responds to threats, and ensures business continuity. Programs must be led by a CISO, overseen by the organization’s board or other senior governing body, and supported by written policies covering areas such as access controls, vendor oversight, data retention, incident response, and disaster recovery.
Transparency is a central feature of the regulation. Companies must notify DFS promptly of significant cybersecurity incidents and submit an annual certification of material compliance or an acknowledgment of noncompliance with a remediation plan. The Second Amendment builds on this foundation by raising governance expectations, strengthening technical requirements, and tailoring obligations for larger institutions now classified as “Class A companies.”
The Road to Phase 3: November 1, 2025
DFS designed the Second Amendment to roll out in phases over two years. Early deadlines required faster incident reporting, annual certifications, and updated risk assessments, while later milestones strengthened governance, encryption policies, and business continuity planning. More recent obligations added advanced technical safeguards such as automated scanning, privileged access management, and centralized monitoring.
All of this leads to phase 3, the final compliance deadline on November 1, 2025, when every major element of the amended regulation becomes fully enforceable. By this date, covered entities must show that critical safeguards are operational and producing evidence of effectiveness, including the following.
- Expanded MFA (500.12). Broader MFA coverage across users and systems, with exceptions only where the CISO has approved documented compensating controls.
- Comprehensive asset inventory (500.13). A detailed, validated catalog of all information system assets, including ownership, location, sensitivity, support lifecycle, and recovery objectives.
- Continuous vulnerability management (500.5). Automated scans, manual reviews, and prompt remediation prioritized by risk.
- Strict access privilege controls (500.7). Annual reviews, enforcement of least privilege, rapid deprovisioning, and Privileged Access Management tools for Class A companies.
- Enhanced monitoring and training (500.14). Logging of user activity, malware filtering, annual social-engineering training and advanced tools like endpoint detection and centralized logging at Class A companies.
Phase 3 is not about drafting policies. It is about proving consistent, auditable implementation. DFS examiners will expect to review logs, scan results (i.e., reviews typically performed using automated tools to detect potential weaknesses in system vulnerability, configuration and compliance), board minutes, training records, and remediation documentation. Firms that wait until the deadline to implement these safeguards risk being caught unprepared when DFS demands proof.
What This Means for Firms
The DFS Cybersecurity Regulation has become one of the most detailed and enforceable cybersecurity frameworks in the United States. It elevates cybersecurity from an information technology function to a core governance and compliance discipline. Boards and executives will need to show not only that they have policies, but that those policies are actively implemented and enforced. The annual certification process places personal accountability squarely on leadership.
Cybersecurity programs must demonstrate operational maturity, with asset inventories, vulnerability scans, access controls, vendor oversight, training, and incident response all generating clear, auditable evidence of ongoing use. Smaller firms must also watch exemption thresholds carefully, as even modest growth in employees, revenue, or assets can disqualify them from relief. If that happens, they will have only 180 days to comply fully.
If you are unsure whether your firm qualifies as a Class A company, whether your existing program can withstand stricter scrutiny, or how to prepare your next compliance certifications, now is the time to act. The deadline for November 1, 2025, is the turning point for firms with New York-based operations subject to the Cybersecurity Regulation. A failure to prepare early can make all the difference between regulatory scrutiny and regulatory confidence.
If you have any questions regarding the Cybersecurity Regulation or would like assistance with readiness assessments, program updates, or preparing for the final phase of compliance, please contact Katten's Financial Markets and Funds team or the Privacy, Data and Cybersecurity team.
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2025-09-26-20-03-53-685-68d6f1a9855b5699ba8c4b35.jpg)
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2025-09-23-10-22-39-055-68d274ef09142ae1affefe42.jpg)
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2025-09-18-21-46-07-842-68cc7d9f086770c7e045f84a.jpg)
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2025-09-19-12-33-16-430-68cd4d8cfa66fa67cce637c9.jpg)