By Daniel Park, Product Marketing Manager
Over the course of 2024, help desks with clients in New York have been concerned with a series of requirements and best practices issued by the State’s Department of Finanical Services (NYDFS), which regulates requirements for business cybersecurity programs and governance.
In this blog post, we’ll walk through the requirements outlined in the NYDFS’ Cybersecurity Resource Center, and how they might impact your business.
Who Has to Follow NYDFS Best Practices?
According to the NYDFS, financial institutions, health maintenance organizations (HMOs), continuing care retirement communities (CCRCs), exempt and non-profit mortgage loan servicers, DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are bound to these requirements and considered “Covered Entities” in the NYDFS’ regulations. Managed Service Providers and help desks may be required to offer coverage for these requirements for applicable clients.
Cybersecurity Program, Governance, & Risk Assessment Requirements
The NYDFS requires regulated organizations to have a “comprehensive cybersecurity program,” and prescribes alignment with a cyber assessment framework. While the regulations do not require a specific standard, NYDFS lists NIST, CRI, and the FFIEC Cyber Assessment Tool as frameworks commonly used to inform risk assessments.
New York State also requires (at minimum) annual risk assessments, as well as assessments during Merger & Acquisitions (M&A) processes, or “changes in… technology cause a material change” to an organization’s cyber risk.
Also, businesses can adopt part (or all of) their MSP’s cybersecurity program, as long as they are fulfilling all of the NYDFS’ requirements. Moreover, while a business can retain an employee of their third-party service provider as a CISO, at the end of the day, the customer/end users themselves are responsible for staying compliant with the NYDFS’ requirements. (This includes making sure the CISO in question is proactively staying compliant with these requirements.)
Self-Service Password Reset Best Practices
In January 2024, the NYDFS issued industry guidance to CISOs prescribing “effective Self-Service Password Reset (SSPR) controls” to authenticate users who access information systems at regulated organizations.
The industry letter specifically required that an organization properly configure their Self-Service Password Reset solution, and that an SSPR solution alone did not “securely authenticate users.”
Specifically, since a person doesn’t need an existing password to use SSPR, the NYDFS does not consider using a personal or work email address for SSPR to be secure, calling out how easy it is to guess an email or get an email address from social media or work-related websites.
Similarly, the NYDFS does not recommend authenticating via SMS and voice messages, since this leaves companies vulnerable to SIM swapping attacks, where an attacker can steal a user phone number and intercept their messages and authentication codes.
The NYDFS does recommend using a Mobile Device Management solution, logging and monitoring all SSPR events, not allowing employees to port phone numbers with carriers, limiting who can use an organization’s SSPR, and having processes in place to respond to suspicious SSPR activity.
Multi-Factor Authentication (MFA) Requirements
Today, the NYDFS requires organizations to implement MFA for users “accessing… internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.”
However, stricter requirements are coming. On November 1st, 2025, all organizations regulated by the NYDFS must use MFA to access any digital environments, “regardless of location, type of user, or type of information” in the system.
Even for organizations that may be exempt from the full regulatory requirements, the NYDFS will require MFA for remote access and all privileged accounts, “other than service accounts that prohibit interactive login.”
According to the NYDFS, they define internal networks, as email accounts, document hosting, and “related services whether on-premises or in the cloud,” containing private information. The compliance requirements list Microsoft 365 and Google Workspace as examples.
Vulnerability Management Requirements
While the NYDFS does not prescribe specific solutions, they do require institutions to implement solutions to help them proactively identify vulnerabilities or malicious activities. They strictly do not allow “non-continuous monitoring,” such as manually reviewing logs or firewall configurations to fulfill these requirements.
Thus, organizations might be able to use a Managed Detection and Response (MDR), managed Endpoint Detection and Response (EDR), or Extended Detection and Response (XDR) solution to meet these requirements.
How IT Teams Can Proactively Support NYDFS-Covered Institutions with CyberQP
The CyberQP team understands how important MSPs and help desks are to implementing robust security measures against evolving threats, and we’ve developed a platform with the capabilities to help you proactively support these new requirements:
- CyberQP Passwordless Just-in-Time Access enables IT teams to implement passwordless logins for unique technician privileged accounts, enabling them to achieve Zero Standing Privileges.
- CyberQP Automated Privileged Account Discovery simplifies mergers and acquisitions, allowing an organization to identify, audit, and take action on unseen privileged accounts with ease.
- CyberQP Self-Service Account Management makes it easy to implement self-service password resets, backed by your mobile device’s biometrics and CyberQP Customer Workforce Verification to ensure that anyone attempting to regain access to their accounts is who they claim to be.
Ready to get started? Connect with our team now.