The Final Phase Is Complete: Living with New York's DFS Cybersecurity Framework

Rikka Law blog post illustration: The Final Phase is Complete: Living With New York's DFS Cybersecurity Framework
Headshot photo of Charlyn Ho, CEO Rikka Law Group | Co-Founder Enzio.ai at Rikka Law
Charlyn Ho
CEO Rikka Law Group | Co-Founder Enzio.ai
November 19, 2025·Insights

Back in 2023, NY Department of Financial Services (DFS) introduced substantial updates to its already robust Cybersecurity Regulation, with implementation timelines extending through November 1, 2025. This phased approach gave covered entities of varying sizes and complexity levels time to build out their cybersecurity programs thoughtfully rather than scrambling to achieve compliance overnight.

Understanding the Philosophy Behind the Changes

The amendments reflect lessons learned from years of cyber incidents across the financial services sector. DFS observed that while the original regulation established a strong foundation, emerging threats and technological changes demanded more specific guidance in certain areas. The updated requirements emphasize proactive risk management, enhanced governance, and more rigorous third-party oversight. The regulation now places greater emphasis on board-level engagement and executive accountability, acknowledging that effective cybersecurity programs need support and understanding from leadership.

Key Areas of Focus

The amended regulation strengthens requirements around several critical areas, including:

  1. Class A requirement to design and conduct independent audits.
  2. Risk assessments, which continue to be required, must be reviewed and updated at least annually and whenever a change in the business or technology causes a material change in the business’ cyber risk.
  3. Cybersecurity policies must be annually reviewed and approved by the senior governing body or a senior officer and procedures must be documented.
  4. Cybersecurity awareness training for all personnel must now include social engineering and must be provided at least annually.
  5. Covered entities must conduct at least annual penetration testing from inside and outside information systems’ boundaries.
  6. Implement multi-factor authentication (MFA), to the extent they are not already in place.
  7. Implement a written policy requiring encryption that meets industry standards.
  8. CISO’s written report to senior governing body must include plans for remediating material inadequacies.
  9. Requires CISO to timely report to senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the cybersecurity program.
  10. Senior governing body must exercise oversight of its cybersecurity risk management.
  11. Ensure business continuity and disaster recovery plans that are reasonably designed to address a cybersecurity-related disruption are in place.
  12. Implement enhanced requirements regarding limited user access privileges and promptly terminate access following personnel departures.
  13. Implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of information systems.

The Path Forward

One of the more considerate aspects of this regulatory update is how DFS has structured the rollout. Rather than imposing all requirements simultaneously, the department created a timeline that allowed organizations to prioritize their efforts and make meaningful progress in stages. This approach acknowledges the resource constraints many entities face and provides a more realistic path toward comprehensive compliance.

DFS has also committed to supporting covered entities through this transition. The department regularly publishes guidance documents, hosts industry forums, and provides channels for organizations to ask questions about specific requirements. This collaborative approach helps demystify expectations and allows entities to learn from peer experiences.

Final Thoughts

As the November 2025 deadline marks the completion of this multi-year implementation journey, covered entities should view this moment as the beginning of a more mature phase in their cybersecurity posture. The amended regulation has fundamentally shifted the conversation from compliance as a checkbox exercise to cybersecurity as an ongoing, board-level business imperative. The real measure of success will be how well these frameworks serve organizations in the years ahead, when facing threats that don't yet exist today.

See the official resources here.