The New York Department of Financial Services (DFS) continues to roll out new requirements under its amended Cybersecurity Regulation (23 NYCRR Part 500), with critical deadlines approaching in 2025. Covered entities—including banks, credit unions, mortgage lenders, and other financial services firms—must take proactive steps to ensure full compliance with both annual reporting obligations and newly enhanced security requirements.
As your trusted compliance partner, NETBankAudit is here to help financial institutions stay ahead of these changes. Below is a comprehensive overview of the upcoming deadlines and regulatory updates.
Annual Compliance Notification Due by April 15, 2025
All covered entities must submit their Annual Compliance Notification for the 2024 calendar year through the DFS Portal by April 15, 2025. This annual notification is a core requirement under the Cybersecurity Regulation and serves as a formal attestation of your institution’s cybersecurity posture.
Two Filing Options
Entities must file either:
- Certification of Material Compliance – A formal statement certifying that the entity was materially compliant with applicable provisions of the Cybersecurity Regulation throughout 2024.
- Acknowledgement of Noncompliance – For entities not fully compliant, this option requires disclosure of all unmet sections of the regulation, accompanied by a remediation timeline.
Exemptions and Notifications
- Fully exempt entities do not need to file.
- Partially exempt entities (those meeting limited exemption criteria under Section 500.19) are still required to submit an annual notification of compliance.
Annual Notification Requirement Recap
The annual notification is not optional and applies to almost all covered entities, regardless of size. It is the DFS’s primary mechanism for ensuring entities maintain ongoing compliance with evolving cybersecurity expectations.
For detailed filing instructions and access to the DFS Compliance Filing Portal, entities should visit the DFS Cybersecurity Resource Center.
New Requirements Effective May 1, 2025
As part of the amended Cybersecurity Regulation, additional requirements take effect on May 1, 2025. These updates introduce enhanced operational controls, vulnerability management practices, and security technologies, all intended to further strengthen cybersecurity resilience across covered entities.
Key Requirements for All Non-Exempt Covered Entities
- Access Privileges Management (Section 500.7)
- Establish and enforce policies limiting user access privileges, particularly for privileged accounts.
- Conduct regular reviews of access rights and promptly revoke unnecessary accounts or permissions.
- Disable or securely configure remote access protocols.
- Terminate system access immediately upon personnel departure.
- Adopt a reasonable, written password policy if passwords are in use.
Requirements for Standard and Class A Entities
- Vulnerability Management (Section 500.5)
- Conduct automated system scans and manual reviews of systems not covered by automation.
- These scans must be performed at intervals set by the entity’s risk assessment, as well as after material system changes.
- Vulnerability identification, analysis, and remediation processes must be formally documented.
- Malicious Code Protections (Section 500.14)
- Covered entities must implement effective technical controls to detect and block malicious code across their networks and systems.
Additional Requirements for Class A Entities
Entities designated as Class A (generally larger, more complex organizations) face additional requirements to implement enhanced security monitoring, detection, and response capabilities:
- Endpoint Detection and Response (EDR)
- Deploy EDR technology to monitor for anomalous activity on all endpoints.
- Centralized Logging and Security Event Alerts
- Implement a centralized logging system with real-time security event alerts.
- CISO Oversight of Compensating Controls
- Class A entities may adopt compensating controls if they provide equivalent or better protection, but the entity’s Chief Information Security Officer (CISO) must document and approve these controls in writing.
Exemptions and Classification
Entities are encouraged to review the updated “Am I Exempt?” flowchart and exemption criteria outlined in Section 500.19 to determine whether they qualify for:
- Full exemption (no filing required).
- Limited exemption (annual notification required, but some specific technical controls may not apply).
- Standard entity classification (required to meet all core requirements).
- Class A entity classification (required to meet the highest level of controls and monitoring).
The DFS Cybersecurity Resource Center offers detailed breakdowns by entity type, helping institutions identify which requirements apply based on their size, complexity, and risk profile.
Cybersecurity Regulation Refresher Videos
To assist entities in understanding both existing and upcoming requirements, DFS offers a Cybersecurity Regulation Refresher Video Series. These on-demand videos provide guidance on:
- Multi-factor authentication (MFA)
- Cybersecurity awareness training
- Encryption of non-public information (NPI)
- Incident response planning
- Business continuity and disaster recovery (BCDR)
The video library will be expanded to include May 2025 requirements, offering covered entities ongoing education and compliance support. Institutions are encouraged to incorporate these resources into their internal training programs.
The full video library is available in the Cybersecurity Resource Center.
SHIELD Act and Its Overlap with DFS Regulation
In addition to DFS-specific requirements, financial institutions should remain aware of their obligations under New York’s SHIELD Act (Stop Hacks and Improve Electronic Data Security Act). Although distinct from the DFS Cybersecurity Regulation, the SHIELD Act applies to all businesses holding private information of New York residents, regardless of whether they are DFS-regulated entities.
Key Elements of the SHIELD Act
- Applies to any company holding private information of New York residents.
- Requires businesses to maintain reasonable administrative, technical, and physical safeguards to protect data.
- Defines private information to include personal data combined with account numbers, biometric data, access credentials, and other sensitive identifiers.
- Applies to businesses both within and outside New York, as long as they process data belonging to New York residents.
Covered entities should ensure that their cybersecurity programs are aligned with both DFS Regulation requirements and SHIELD Act safeguards to maintain full compliance across all applicable frameworks.
DFS offers additional guidance on the SHIELD Act here.
Preparing for the 2025 Deadlines
With multiple deadlines and evolving regulatory expectations, 2025 will be a pivotal year for DFS-regulated entities. Covered entities should review:
- Their Annual Compliance Notification process to ensure timely, accurate filings by April 15, 2025.
- Their vulnerability management, access control, and security monitoring programs to ensure full compliance with the new May 1, 2025 requirements.
- Their internal policies, procedures, and training programs to align with DFS expectations.
- Their incident response and disaster recovery plans to ensure they reflect current threats and regulatory expectations.
Staying ahead of these updates is critical not just for regulatory compliance, but also for maintaining customer trust, operational resilience, and cybersecurity maturity in an increasingly high-risk environment.
Resources and Guidance
For complete information on the amended Cybersecurity Regulation, including exemptions, entity classifications, filing instructions, and educational videos, visit the DFS Cybersecurity Regulation Homepage.
Need Support for Your Cybersecurity Compliance Efforts?
Staying compliant with evolving DFS cybersecurity requirements takes more than just meeting deadlines — it requires a comprehensive understanding of regulatory expectations, a proactive approach to risk management, and effective internal controls tailored to your institution’s size and risk profile.
NETBankAudit specializes in cybersecurity audits, risk assessments, and compliance services designed to help financial institutions navigate DFS regulations with confidence. Whether you need assistance preparing for your Annual Compliance Notification, implementing new technical controls, or conducting a readiness assessment ahead of the May 2025 requirements, our experienced team is ready to help.