The New York State Department of Financial Services published the Second Amendment to its cybersecurity regulation, 23 NYCRR Part 500, in November 2023. The amendment introduced a phased implementation schedule running from April 2024 through November 2025, with the final and arguably most consequential phase landing on November 1, 2025: universal multi-factor authentication and a written asset inventory program. The first annual certification covering the post-amendment posture was due April 15, 2026. With that certification window closed, the compliance picture is now visible, and the lessons are clear: many covered entities completed the technical work, but the documentation and exception-management discipline behind it is uneven.
What did the Second Amendment actually change?
The Second Amendment expanded Part 500 substantially. The full scope is broader than this post can cover, but the headline changes were these. First, a tiered structure: large "Class A Companies" face heightened requirements including independent audit and privileged access management programs. Second, governance: the CISO must annually report to the board, the board must approve the cybersecurity policy, and the CEO and CISO must jointly certify material compliance each April. Third, incident reporting: 72-hour notification to NYDFS for covered cybersecurity events and 24-hour notification for ransom payments. Fourth, business continuity: written BCDR plans with periodic testing. Fifth, the November 2025 controls: MFA for all individuals accessing any information system (with limited CISO-approved exceptions), and an asset inventory implemented through written procedures.
What does the November 2025 MFA requirement actually demand?
Section 500.12 of the amended rule requires MFA for any individual accessing any information system, not only privileged or remote users as the prior rule allowed. The expansion materially changes coverage in three places that had been gray areas: third-party contractors and consultants accessing covered systems, on-premises users accessing systems from inside the corporate network, and service accounts that have historically been excluded from MFA. The rule permits the CISO to approve in writing reasonably equivalent or more secure compensating controls for specific systems, but requires annual review of those approvals. Most covered entities completed the technical work for human users; the exception register and compensating-control documentation for service accounts and legacy systems is where audits are revealing gaps.
What does the asset inventory requirement demand?
Section 500.13(a) requires covered entities to implement written policies and procedures for the creation and maintenance of an asset inventory. The inventory must include, at minimum, methods to track key information for each asset, including owner, location, classification, support expiration date, and recovery time objectives. The frequency of review must be defined. The rule does not mandate a specific tool, but it does mandate that the policy describe how the inventory is produced, kept current, and used in risk management. Covered entities that started from a partial CMDB and a separate vulnerability scanner output have struggled to define a single authoritative inventory; those that adopted an integrated asset graph approach have found compliance more straightforward.
What did the April 15, 2026 certification reveal?
April 15, 2026 was the first annual filing where covered entities certified compliance with the November 2025 requirements for the full reporting period. NYDFS receives two filing types: a Certification of Material Compliance (signed jointly by the CEO and CISO) or an Acknowledgement of Noncompliance with a detailed remediation plan. The early read on filings, drawn from public commentary and industry surveys, is mixed. Most large institutions filed certifications. A nontrivial fraction of mid-market institutions filed acknowledgements citing gaps in the new MFA coverage and asset-inventory documentation, particularly around third-party access and service accounts. NYDFS has signaled that examinations and enforcement actions will scrutinize both filings — the certifications must be defensible, and the acknowledgements must come with realistic remediation timelines.
# Part 500.12 MFA scope worksheet
For each information system, document:
- User population (employees, contractors, customers, service accounts)
- MFA enforced (yes/no/exception)
- Factor type (phishing-resistant required for privileged)
- If exception, compensating control and CISO approval date
- Annual review date
# Part 500.13(a) asset inventory minimum fields
- Asset ID and type
- Owner (named individual, not "IT")
- Location (datacenter / cloud account / endpoint pool)
- Classification (and ePHI/CUI/PII flags as applicable)
- Support expiration / EOL date
- Recovery time objective
- Last reviewed
How does Class A Company status affect obligations?
Class A Companies — generally those with over $20 million in revenue from NY operations and over 2,000 employees or $1 billion in revenue — face additional obligations including independent audit of the cybersecurity program, monitored use of privileged access via PAM tooling, and password complexity controls implemented through a CISO-approved policy. The Class A audit requirement matters because it brings an external attestation function into the regulator's view, similar in spirit to FedRAMP's third-party assessor model. Covered entities near the Class A threshold need to plan for that audit cost and the supporting evidence regimen if they expect to cross.
How does Part 500 stack with SEC, CIRCIA, and HIPAA?
Many Part 500 covered entities are also SEC registrants subject to Item 1.05, are within scope of CIRCIA when it finalizes, and — if affiliated with healthcare benefit administration — are HIPAA business associates or covered entities. A single material incident can trigger a 24-hour NYDFS ransom payment report, a 72-hour NYDFS cybersecurity event notice, a 72-hour CIRCIA report once that rule finalizes, a four-business-day SEC 8-K (Item 1.05) if material, HIPAA Breach Notification within 60 days, FTC Safeguards Rule notification within 30 days, and state attorney general notifications under various clocks. The overlapping timers are not theoretical — they are now a routine planning input for the regulated incident-response playbook.
What should covered entities do for the next reporting cycle?
Three focus areas. First, harden the documentation behind the November 2025 controls — the MFA exception register, the asset inventory policy and its evidence trail, and the compensating-control approvals. Second, prepare for the next phase of NYDFS examinations, which will focus on whether certifications are supported by sustainable practice rather than point-in-time snapshots. Third, integrate the Part 500 evidence base with adjacent regimes (SEC, CIRCIA, HIPAA, FTC Safeguards) so the same control evidence serves multiple obligations. NYDFS examiners are not impressed by parallel evidence repositories that contradict each other.
How Safeguard Helps
Safeguard maintains the authoritative asset inventory that section 500.13(a) requires, with continuous reconciliation across cloud accounts, on-premise systems, SaaS, and endpoint pools, and with ownership and classification metadata at the field level NYDFS expects. Griffin AI cross-references that inventory with MFA coverage telemetry, encryption posture, and patch SLA performance, producing certification-ready evidence the CISO can carry into the April filing. TPRM workflows track the third-party access expectations under section 500.11, with annual due diligence on critical service providers and continuous monitoring for material changes in their posture. Policy gates can enforce MFA coverage at deploy time and surface assets that drift out of inventory compliance, so the program operates continuously rather than in the weeks before the certification deadline.