Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

On February 26, 2026, three senior representatives of the New York Department of Financial Services (NYDFS) hosted a webinar to provide guidance on the significantly expanded multi-factor authentication (MFA) requirements of Section 500.12 of the Second Amendment to the Cybersecurity Regulation of the New York Department of Financial Services (23 NYCRR 500), which took effect on November 1, 2025. Therefore, covered entities must consider their compliance in preparing to submit their annual certificate of compliance or acknowledgment of noncompliance for 2025 by the April 15, 2026, deadline.

The slide deck presented in the webinar is now available on the NYDFS Cybersecurity Resource Center at Cybersecurity Training – Let’s Talk MFA. Relevant FAQs and a guidance document are currently posted at Cybersecurity Resource Center FAQs and Multifactor Authentication Guidance.

This post reviews the content of the webinar and offers tips for addressing the MFA requirement, which are important for good security even for those not technically subject to the NYDFS Cybersecurity Regulation.

What’s a Covered Entity?

The webinar began with a review of the definition of covered entity (essentially, any person subject to NYDFS regulation) and the three types, of which only class A companies are formally defined in the Cybersecurity Regulation:

1. “Small businesses” that are subject to the limited exemptions of Section 500.19(a) (based on thresholds for employees, revenues, and assets). These entities are exempt from certain specified requirements of the NYDFS Cybersecurity Regulation, including some of the expanded MFA requirements, although they must partially comply with MFA requirements for the first time;
2. “Class A companies” (defined in Section 500.1(d)) that have at least $20 million in gross annual revenues in each of the last two fiscal years (combining the covered entity’s total revenues with the New York revenues of its affiliates), and either (i) more than 2,000 employees or (ii) more than $1 billion in gross annual revenues from all operations of the covered entity and its affiliates, which are subject to all of the requirements of the Cybersecurity Regulation; and
3. Standard (or non-class A) companies, which are neither “small businesses” nor “class A companies,” which are subject to most, but not all, of the requirements of the Cybersecurity Regulation.

What Is MFA?

The webinar then reviewed the meaning of MFA as defined by Cybersecurity Regulation Section 500.1(j), which adopts the common definition of at least two of the following types of authentication factors: (i) knowledge factors (i.e., something you know, such as a password); (ii) possession factors (i.e., something you have, such as a token); or (iii) inherence factors (i.e., something you are, such as a biometric characteristic).

The NYDFS stressed that not all factors are created equal, and some factors of the same type may not present the same level of security. For example, some possession factors may not be as secure as others; obviously, not all passwords are considered strong. The NYDFS underscored that different MFA methods present different trade-offs and that covered entities should understand those trade-offs “to make informed, risk-based decisions” about which methods to deploy for particular systems and users. Indeed, implementation should be based on the risk assessment, with higher risk systems requiring more secure authentication factors.

Implementation – Beyond Adoption

Satisfying the MFA requirement means more than the adoption of compliant technology. Effective implementation across all information systems is critical. Perhaps the most important revision of the Second Amendment is that, for covered entities other than small businesses, MFA is now required for all user access to information systems (subject to the provision for compensating controls described below). Note that prior to November 1, 2025, MFA was only required for remote access, so this represents a major expansion of scope. Small businesses, previously exempt from the MFA requirement, must now implement MFA for remote access and for privileged accounts.

When reviewing for compliance, the NYDFS will examine how and to what extent MFA is implemented. The NYDFS picked up on themes addressed in the existing FAQs posted on the DFS website, including the inefficacy of browser-based possession factors, and the applicability of the MFA requirement to laptops. The NYDFS emphasized that they do not require or endorse any particular technical solution, but they expect covered entities to base decisions on their risk assessment.

There was also discussion of the applicability of the MFA to online facilities, including public-facing websites. Basically, as reflected in the FAQs, access to websites and portals that present nonpublic information or permit access to other information systems must be safeguarded by MFA, based on the risk assessment.

Alternatives to Satisfying the MFA Requirement

The NYDFS discussed the use of compensating controls instead of safeguards meeting the definition of MFA. Under Section 500.12(b), “If the covered entity has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls.” The NYDFS emphasized the requirements that the compensating controls must be “reasonably equivalent or more secure,” and that the CISO’s determination must be documented and reviewed annually.

*****

MFA Tips and Implications for the Annual Certification

Given the language of the NYDFS Cybersecurity Regulation, as further explained by the FAQs and the webinar, what can covered entities (and others) do to enhance their compliance and security profile?

1. Review and Update the Risk Assessment. Like all good efforts at cybersecurity, the NYDFS requirements start with the risk assessment. Update regularly to consider all information systems, and all points of access, including remote and on-prem.
2. Consider ALL User Access to Information Systems. As noted above, MFA is now required for all user access, not just remote, to all information systems of the covered entity, unless the covered entity qualifies for the limited small-business exemption under Section 500.19(a), in which case MFA is now required for remote access and privileged accounts. The expanded MFA requirement can create an implementation challenge for certain systems, such as point of sale and other terminals that provide access to information systems.
3. Review Implementation for Security and Risk, not Just Compliance. Not all MFA is created equal. Consider whether passwords, tokens, push notifications, and other factors offer the appropriate level of security based on the risk assessment.
4. Review and Document Compensating Controls. As an alternative to MFA, the covered entity may rely on compensating controls to authenticate access. This reliance must be supported by a well-considered, annually reviewed, and documented recommendation by a qualified CISO that the controls are “reasonably equivalent or more secure” than MFA.
5. Consider the Material Compliance Standard. The annual certification requirement of the Section 500.17(b) of the Cybersecurity Regulation is based on “material compliance” with all applicable requirements of the Regulation for the calendar year. This is a judgment call by the covered entity in the context of its risk assessment. Decisions should be carefully documented.