Secure Controls Framework
Download The SCF
NY DFS Part 500

What changed in the 2023 NY DFS Part 500 amendments?

Direct Answer

The 2023 amendments introduced senior executive compliance certification, mandatory MFA for all remote access and privileged accounts, a 72-hour cybersecurity event notification requirement, a 24-hour ransom payment notification requirement, annual penetration testing, and enhanced requirements for Class A companies. Implementation dates were phased - verify current status of each requirement with DFS.

Before the 2023 amendments, NY DFS Part 500 had been in effect since 2017 but was considered less prescriptive than newer state regulations. The amendments strengthened enforcement accountability by requiring the CEO or equivalent to personally certify compliance annually. The mandatory MFA requirement eliminated previous flexibility - organizations must now document CISO-approved exceptions for any privileged account that does not use MFA. The 24-hour ransom payment notification requirement is among the most aggressive in any state law.

Keep Exploring

Relevant Resources

References

Authoritative Sources