New York State DFS Updated Cybersecurity Rule

The New York State Department of Financial Services (NYDFS) rolled out its latest cybersecurity regulation update on May 1, 2025, and it’s one that all covered entities, including individual licensees, need to address.

What Has Changed?

Covered entities must implement the following:

• Restrict Access Privileges: Only grant access on a need-to-know basis, especially for admin and privileged accounts.
• Review and Revoke Unused Access: Regularly audit user access and immediately disable accounts that are no longer needed.
• Secure Remote Protocols: Disable or harden any protocols that allow remote control of systems (e.g., RDP, VNC).
• Terminate Access Immediately After Departures: Ensure that access is shut off as soon as personnel leave.
• Establish a Written Password Policy: If passwords are used in your environment, you must implement and document a reasonable policy around their creation and management.

What You Need to Do

For optimal security, these measures should already be in place. It's important that you've implemented an internal review of your access controls and password policies, established airtight offboarding workflows, and conducted a thorough audit of your remote access configurations. LMT's 365 Monitoring and Managed Services offer regular user access audits as part of a comprehensive security strategy.

Stay safe and cautious.