Coronavirus Resources
powered by LeadingAge New York
  1. Home
  2. » Providers
  3. » Continuing Care Retirement Communities
  4. » CCRC Policy and Legislative
  5. » DFS Issues Cybersecurity Guidance Related to Third-Party Service Providers; Final Part 500 Requirements Now Effective

DFS Issues Cybersecurity Guidance Related to Third-Party Service Providers; Final Part 500 Requirements Now Effective

(Nov. 4, 2025) The NYS Department of Financial Services (DFS) recently released updated cybersecurity guidance focusing on the potential risks associated with a growing reliance on third-party service providers (TPSPs). The guidance highlights risks associated with TPSPs, as well as strategies to manage these risks as part of an effective cybersecurity program.

While the guidance does not introduce new requirements or obligations for DFS-regulated entities, it clarifies existing regulatory expectations and suggests best practices for DFS-regulated entities to consider. Click here to review DFS’s industry letter in its entirety.​​​​​​​

REMINDER: Final Part 500 Requirements Effective Nov. 1st

On Nov. 1, 2025, the next phase and final requirements of the amended Cybersecurity Regulation took effect. As of Nov. 1st, Covered Entities must comply with:

  • Enhanced Multi-Factor Authentication (MFA) Requirements (Section 500.12): Covered Entities from the Small Business, Standard, and Class A categories must comply with enhanced MFA requirements. With limited exceptions:
    • Covered Entities qualifying for a limited exemption pursuant to Section 500.19(a) – Small Businesses – must use MFA for remote access to their information systems, remote access to third-party applications, and all privileged accounts other than service accounts that prohibit interactive login; and
    • All other Covered Entities must utilize MFA for any individual accessing any information system of a Covered Entity.
  • Asset Management (Section 500.13(a)): All Covered Entities must implement written policies and procedures to maintain a complete, accurate, and documented asset inventory of their information systems that includes, among other things, tracking ownership and location.

DFS encourages Covered Entities to review available resources on the Cybersecurity Resource Center.

Contact: Annalyse Komoroske Denio, akomoroskedenio@leadingageny.org, 518-867-8866

Share

13 British American Blvd Suite 2
Latham, NY 12110
518.867.8383
518.867.8384 fax