The New York Department of Financial Services (NYDFS) will implement new cybersecurity requirements on Nov. 1, introducing enhanced rules around multifactor authentication (MFA) and asset management for covered entities under the state’s financial services law.
Who Must Comply
Under NYDFS regulations, a “covered entity” refers to any organization operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization issued pursuant to New York’s banking, insurance, or financial services laws. This includes businesses such as banks, insurers, and certain financial institutions.
While collection agencies and other service providers may not be directly covered, they often qualify as third-party service providers to covered entities. In such cases, they are subject to cybersecurity oversight through their relationships with regulated organizations.
MFA Requirements
By Nov. 1, covered entities in the small business, standard, and Class A categories must comply with enhanced MFA procedures outlined in Section 500.12 of the NYDFS Cybersecurity Requirements.
Covered entities are required to:
- Develop and implement written policies to secure systems accessible by third-party service providers.
- Conduct risk assessments addressing controls for these providers.
- Use MFA for remote access to information systems, remote access to third-party applications, and all privileged accounts (excluding service accounts that prohibit interactive login).
To support compliance, the NYDFS has published a new Multifactor Authentication Factsheet (PDF), which outlines accepted MFA methods and details the requirements effective in November 2025.
Asset Management Requirements
In addition to MFA, all covered entities must adopt written asset management policies and procedures in accordance with Section 500.13(a). This includes maintaining a complete and accurate inventory of information system assets—documenting ownership, location, and other relevant details.
Additional Guidance and Timelines
The NYDFS Cybersecurity Resource Center offers guidance to help covered entities, affiliates, and third-party providers prepare for these upcoming requirements. It includes detailed implementation timelines for:
These timelines outline key compliance dates and expectations based on organizational size and classification.
Author: Jennifer Evancic
Jennifer.Evancic@ResourceManagement.com
Jennifer Evancic is a third-party auditor valued by creditors and large organizations for her knowledge in call monitoring within the collections industry. With meticulous attention to detail and a firm grasp of regulatory requirements, she ensures compliance with clients’ criteria and state and federal regulations.
Jennifer audits collections calls, ensuring they meet client-specific criteria and comply with regulations, providing valuable insights and maintaining industry standards.
Beyond her auditing responsibilities, Jennifer takes the lead in organizing and facilitating monthly call calibrations. These sessions serve as a collaborative forum where clients and their vendors come together to discuss call monitoring results and address any findings or areas for improvement. Jennifer’s guidance fosters open communication and ensures alignment between clients and vendors, driving continuous improvement in collections practices.
Jennifer stays up-to-date with compliance and industry best practices by participating regularly in peer meetings, regulatory updates and industry webinars. This keeps her informed about emerging issues and ensures she remains a knowledgeable leader in collections compliance.
