Financial institutions covered by 23 NYCRR Part 500 (Part 500) (covered entities) must annually certify their compliance with these cybersecurity regulations. As the April 15 date for certifying compliance approaches, the New York Department of Financial Services (NYDFS) has been reinforcing its focus on one particular element of the updated requirements – multifactor authentication (MFA). On February 26, 2026, NYDFS hosted a public cybersecurity presentation called “Let’s Talk MFA,” offering important insight into how NYDFS interprets and supervises the expanded MFA requirements under Part 500. The presentation and corresponding Frequently Asked Questions make clear that MFA remains a top supervisory priority – and that covered entities should expect close scrutiny of how their MFA is designed, implemented, documented and governed.
MFA is a baseline requirement, but not a one-size-fits-all control
Under the amendments to Part 500, MFA is now required for any person accessing a covered entity’s information systems, unless an exemption is approved in writing by the chief information security officer (CISO), or senior-most executive responsible for cybersecurity if the covered entity does not have a CISO. To comply with the requirements, the MFA must consist of at least two distinct authentication factors drawn from three different categories: knowledge (something you know), possession (something you have) or inherence (something you are). Using two factors from the same category (for example, a password and a security question – both something you know) does not satisfy the requirement.
While NYDFS stated that it is agnostic on specific MFA solutions, it reiterated that covered entities are expected to select MFA solutions and vendors appropriate for their specific risk profile. NYDFS’ “Let’s Talk MFA” presentation emphasized that simply deploying an MFA solution is not sufficient to meet the requirements if the configuration is weak or can be bypassed.
Specific use cases: Single sign-on, cloud platforms and external-facing websites
NYDFS highlighted a few specific use cases drawn from industry questions it received regarding Part 500’s updated MFA requirements. First, NYDFS confirmed that single sign-on (SSO) solutions are permitted under Part 500, provided that MFA is enforced and cannot be effectively bypassed through SSO.
NYDFS also made explicit that cloud-based email, document hosting and other software as a service (SaaS) platforms are considered part of a covered entity’s “information systems” for purposes of Part 500, even when provided or managed by third parties. The entity must comply with Part 500 with respect to these platforms, and MFA must be enforced consistently on these platforms, including for privileged users. NYDFS stated that covered entities may not rely solely on a provider’s default MFA settings to satisfy Part 500 obligations. Instead, institutions are expected to evaluate whether those controls are compliant with Part 500 and appropriate to the covered entity’s risks, information systems and data.
Lastly, NYDFS addressed external-facing resources, a common question regarding the expansion of Part 500’s requirements. External websites intended solely for public consumption do not require MFA because they do not provide access to nonpublic information (NPI). However, NYDFS cautioned that if an external-facing system hosts NPI or poses a material risk to the covered entity or its customers, MFA to access those pages would be required. In practice, this means customer portals that provide access to NPI or other account information must have compliant MFA.
Privileged access remains a supervisory focus
NYDFS noted in the webinar that it continues to observe weaknesses where privileged or administrative users are not consistently subject to MFA. Because privileged access is inherently higher risk, NYDFS expects covered entities to address it explicitly in their risk assessments and consider appropriate MFA. The MFA used for standard access, NYDFS warned, may not be considered compliant for privileged access if privileged access poses significantly more risk to the covered entity’s information systems or NPI.
What NYDFS will look for in examinations
In the presentation, NYDFS noted that its supervisory exams will focus on:
- Whether MFA is implemented where required.
- Whether high-risk systems and users are appropriately protected through the use of MFA.
- The configuration of MFA and its effectiveness.
- The MFA’s ability to prevent phishing, replay attacks and technical bypasses.
- How MFA integrates with the covered entity’s incident detection and response.
In short, NYDFS expects MFA to function as a meaningful security control and not a check-the-box exercise.
Practical takeaways
For covered entities, the “Let’s Talk MFA” presentation reinforces that MFA is now a foundational cybersecurity control under Part 500. Covered entities should ensure that their MFA programs are risk-based, well-documented, consistently enforced (particularly for privileged users and cloud platforms), and supported by strong governance and monitoring.
As NYDFS continues to refine its guidance and enforcement posture, covered entities that can demonstrate thoughtful design and substantive risk analysis will be best positioned in examinations and supervisory inquiries.
Stay tuned for the final installment of our Part 500 refresher series, where we’ll explore how NYDFS has tackled emerging and novel cybersecurity issues.
