powered by LeadingAge New York
  1. Home
  2. » Providers
  3. » Continuing Care Retirement Communities
  4. » CCRC Policy and Legislative
  5. » DFS Cybersecurity Regulation Updates

DFS Cybersecurity Regulation Updates

(Sept. 30, 2025) The NYS Department of Financial Services (DFS) has issued a Cybersecurity Update. Below are three articles that are notable to members who are subject to the DFS Cybersecurity Regulation, such as Continuing Care Retirement Communities (CCRCs). To get DFS Cybersecurity Updates directly, subscribe to Cybersecurity Updates. For additional questions related to the Cybersecurity Regulation, email DFS’s Cybersecurity team at cyberregsupport@dfs.ny.gov.

Visit the Cybersecurity Resource Center for all of DFS’s cybersecurity tools and guidance.

Contact: Diane Darbyshire, ddarbyshire@leadingageny.org, 518-867-8828

---

Below are the relevant DFS articles excerpted from the update:

Final Part 500 Requirements Take Effect November 1 

On November 1, 2025, the next phase and final requirements of the amended Cybersecurity Regulation take effect. As of November 1, Covered Entities must comply with:

  • Enhanced MFA Requirements (Section 500.12):  Covered Entities from the Small Business, Standard, and Class A categories must comply with enhanced MFA requirements. With limited exceptions,
    • Covered entities qualifying for a limited exemption pursuant to Section 500.19(a) – Small Businesses – must use MFA for remote access to their information systems, remote access to third-party applications, and all privileged accounts other than service accounts that prohibit interactive login, and
    • All other covered entities must utilize MFA for any individual accessing any information system of a Covered Entity.
  • Asset Management (Section 500.13(a)): All Covered Entities must implement written policies and procedures to maintain a complete, accurate, and documented asset inventory of their information systems that includes, among other things, tracking ownership and location.

DFS encourages Covered Entities to prepare now and review available resources on the Cybersecurity Resource Center.

New Multi-Factor Authorization (MFA) Resource

DFS has published a new factsheet on MFA, explaining different MFA methods, their relative strengths, and the upcoming November 2025 requirements. Covered Entities should review the factsheet to ensure compliance and select secure MFA solutions suited to their risk profiles.

Find more details on the MFA Factsheet.

ICYMI: Annual Compliance Submissions Were Due in April

As a reminder, Covered Entities were required to submit their annual compliance notifications (Certification of Material Compliance or Acknowledgement of Noncompliance) by April 15, 2025. If not yet submitted, Covered Entities must submit such notifications through the DFS portal immediately.

Covered Entities that qualify for full exemptions from the Cybersecurity Regulation do not have to submit annual compliance notifications. However, Covered Entities that qualify for limited exemptions still are required to submit an annual notification regarding their compliance.

DFS has created step-by-step instructions for submitting either a Certification of Material Compliance or an Acknowledgement of Noncompliance. For instructions and guidance on which form to file, visit the Submit a Compliance Filing section in the Cybersecurity Resource Center.

Cybersecurity Insights: Help Desk Social Engineering

DFS continues to observe recurring cybersecurity themes that warrant close attention. These issues should be top of mind in Covered Entities’ risk assessments and central to the ongoing strengthening of cybersecurity programs.

  • Rise in Social Engineering of IT Help Desk Personnel: DFS has observed a recent increase in incidents where threat actors are manipulating help desk personnel by gaining unauthorized remote access to information systems. They do so by coaxing them into resetting MFA tokens or changing passwords. When threat actors pose as internal IT professionals and/or use caller ID spoofing techniques, these attacks are even harder to spot. Organizations should alert all relevant staff to these threats, review and strengthen their identity verification protocols, monitor for anomalous behavior, and conduct simulated social engineering attacks to train personnel.

See the Department’s September 2024 alert on “Social Engineering of Institutions’ IT Help Desk Personnel.” CISA also provides additional information on this topic: Avoiding Social Engineering and Phishing Attacks and Scattered Spider.​​