NYSDFS Part 500 Fully in Effect
, , ,

NYSDFS Part 500: What Covered Entities Need to Know

As of November 1, 2025, all requirements of the amended New York State Department of Financial Services (NYSDFS) Cybersecurity Regulation (23 NYCRR Part 500) are officially in effect. This marks the completion of a two-year, phased rollout that began in November 2023.

For DFS-regulated organizations, this isn’t a sudden change. It’s a checkpoint, and an opportunity to confirm that your cybersecurity program aligns with the full set of requirements now in place.

At OrbitalFire, we work with smaller DFS-regulated organizations to help them confirm where they stand, clarify gray areas, and move forward without panic.

 Is NYSDFS Part 500 New in 2025?

No. The amendments were adopted in 2023 and intentionally phased in over time. The final phase taking effect simply means there are no remaining delayed requirements.

Today, DFS expects Covered Entities to:

  • Comply with all applicable Part 500 requirements
  • Maintain documentation supporting their cybersecurity program
  • Use a risk-based approach appropriate to their size and complexity

DFS has consistently emphasized reasonable, well-documented decisions over rigid, one-size-fits-all implementations.

 

What Changed with MFA Requirements Under Part 500?

Have the MFA requirements changed?
No. The requirements in Section 500.12 remain the same.

However, DFS recently published and updated FAQs to clarify how organizations should interpret and implement the MFA requirements. These FAQs are meant to provide guidance, not introduce new rules.

Key points to know:

  • MFA requirements themselves are unchanged
  • Risk-based implementation is expected
  • Organizations that implemented reasonable, documented controls are likely in material compliance
  • Compensating controls are permitted when:
    • Approved in writing by the CISO
    • Reviewed at least annually
    • Reasonably equivalent or more secure

DFS is looking for clarity and intent, not perfection.

For smaller organizations, MFA is often where theory and reality collide. We regularly see teams struggle not with implementing controls, but with documenting decisions, defining scope, and explaining compensating controls in a way that will hold up under review.

OrbitalFire helps DFS-regulated organizations align MFA decisions with risk, documentation, and leadership intent so controls are defensible, not just deployed.

There is a DFS Webinar on MFA

DFS is hosting a webinar to help regulated organizations better understand MFA expectations under Part 500.

Webinar: DFS Presents: Let’s Talk MFA
📅 Thursday, February 26, 2026
🕛 12:00–1:00 PM (ET)

Register Here: DFS Presents – Let’s Talk MFA registration – State of NY Enterprise Webex

The webinar will cover:

  • MFA requirements under Part 500
  • Common implementation considerations
  • How DFS views risk-based and compensating controls

Registration is required, space is limited, and registration closes February 19, 2026.

 

What Are the Ongoing Annual Requirements Under Part 500?

Even with all requirements now in effect, two annual obligations remain central to compliance:

Annual Certification

Covered Entities must certify compliance with Part 500 each year or submit an acknowledgment of noncompliance where applicable. Certifications should be supported by documentation that reflects actual practices.

Annual Exemption Review

If your organization relies on any Part 500 exemptions, DFS expects those exemptions to be reviewed annually to confirm they are still applicable based on your current operations.

These are best treated as routine check-ins, not last-minute exercises.

This is where many organizations feel unnecessary stress, not because they’re out of compliance, but because annual requirements weren’t treated as an ongoing rhythm.

OrbitalFire works with regulated organizations to turn certification and exemption reviews into predictable check-ins, rather than last-minute fire drills.

 

What Is NYSDFS Really Looking For?

DFS has been clear throughout the rollout: the focus is on governance, accountability, and continuous improvement.

For smaller, DFS-regulated organizations, that means:

  • Making cybersecurity part of regular business discussions
  • Keeping documentation current as your organization evolves
  • Being able to explain and defend your cybersecurity decisions

This approach supports resilience over time, not just compliance on paper.

OrbitalFire Supports DFS-Regulated Organizations

At OrbitalFire, we help smaller DFS-regulated organizations translate Part 500 into something practical and manageable.

We help you:

  • Confirm where you stand now that all Part 500 requirements are in effect
  • Navigate MFA requirements and compensating controls with confidence
  • Prepare for annual certification with documentation that reflects reality
  • Keep your cybersecurity program aligned as your business evolves

We protect you from cybercrime, audits, regulations, and yourself—without adding unnecessary complexity.

The completion of NYSDFS Part 500 isn’t a cliff—it’s a checkpoint.

Organizations that treat cybersecurity as an ongoing leadership responsibility will find this moment manageable, even boring. And that’s exactly where you want to be.

If you want a clear, practical review of your Part 500 posture, OrbitalFire is ready to help you move forward with confidence. Reach Out Today

 

Frequently Asked Questions

What does it mean that NYSDFS Part 500 is fully in effect?
It means that as of November 1, 2025, all applicable requirements of the amended NYSDFS Cybersecurity Regulation (23 NYCRR Part 500) are now in effect and Covered Entities are expected to comply.

Did NYSDFS change the Part 500 MFA requirements?
No. The MFA requirements in Section 500.12 remain unchanged. DFS published updated FAQs to clarify how Covered Entities can implement MFA in a risk-based way.

There is a DFS webinar about MFA that we recommend attending if you have any questions. “DFS Presents: Let’s Talk MFA” is on February 26, 2026, from 12:00–1:00 PM ET. Registration closes February 19, 2026 and space is limited. Register Here

Are compensating controls allowed under Part 500 MFA requirements?
Yes. Section 500.12(b) allows reasonably equivalent or more secure compensating controls if approved in writing by the CISO and reviewed at least annually.

What are the annual Part 500 requirements Covered Entities should remember?
Covered Entities must complete annual certification (or acknowledgment of noncompliance, where applicable) and should review any claimed exemptions annually to confirm they still apply.

0 Twitter LinkedIn