The New York Financial Services Cybersecurity Countdown

October is Cybersecurity Awareness Month, a reminder for organizations everywhere to evaluate their resilience and security posture. For financial institutions in New York, the timing is especially urgent: the November 1, 2025 deadline for the final phase of 23 NYCRR Part 500 compliance is just weeks away.

Last year’s deadline (November 1, 2024) brought sweeping updates around encryption, incident response, and business continuity planning. This past May (2025) added further requirements for automated vulnerability scanning and hardened access controls. Now, the clock is ticking again: this time toward mandates that extend multi-factor authentication (MFA) and require comprehensive asset inventories across the enterprise.

Why the Stakes Are So High 

Financial institutions depend on critical systems like mainframes, which process 95% of the world’s non-cash transactions every single day. A single breach can grind operations to a halt, damage customer trust, and trigger penalties in the tens of millions.

Yet too often, organizations secure cloud and distributed systems while overlooking host access and mainframe environments. Breaches tied to unsecured “green screen” access, for example, have exposed credentials, leaked sensitive data, and prolonged recovery times. Compliance gaps here are more than IT oversights. This shift ensures they’re now board-level risks.

What 23 NYCRR Part 500 Requires

The regulation covers governance, technical safeguards, and resilience measures. Under the amended requirements, CISOs and boards must maintain active oversight, report material issues, and prove that critical safeguards are in place. Key deadlines include:

• April 29, 2024 – Annual penetration testing requirement took effect, along with cybersecurity policy updates and annual employee training (including social engineering).
• November 1, 2024 – Entities were required to implement an encryption policy meeting industry standards, update incident response and business continuity/disaster recovery (BC/DR) plans and meet new CISO reporting and board oversight obligations.
• May 1, 2025 – Entities had to deploy automated vulnerability scanning (with manual review for non-scannable systems), enforce stricter access privilege controls, and implement malicious code protections.
• November 1, 2025 – The final phase:
  • Enhanced MFA (Section 500.12): For most Covered Entities, MFA must be implemented for any user accessing any information system. For small businesses qualifying for a limited exemption under Section 500.19(a), MFA must still apply to remote access, third-party applications where NPI is accessible, and privileged accounts (other than service accounts prohibiting interactive login).
  • Asset Management (Section 500.13(a)): Covered Entities must maintain a complete, accurate, and documented inventory of their information systems, including ownership and location details. (Source)

These requirements apply to all environments: cloud, distributed IT, mainframes, and host systems. If even one is left unsecured, an institution’s compliance posture remains incomplete.

PCI DSS 4.0 and the Expanding Compliance Landscape

The NYDFS deadlines don’t exist in a vacuum. Global standards are tightening in parallel. The Payment Card Industry Data Security Standard (PCI DSS) 4.0, effective March 31, 2025, introduced expanded requirements for encryption, authentication, and continuous monitoring across payment environments.

Together, NYDFS Part 500 and PCI DSS 4.0 underscore a clear reality: compliance is becoming more comprehensive, more continuous, and more demanding. Organizations that act reactively risk falling into a costly cycle of catch-up, while those who take a proactive stance will not only meet deadlines but also build enduring resilience.

Beyond Compliance: Building Cyber Resilience

Compliance may start as a checklist, but its true value lies in resilience. Meeting NYDFS Part 500 requirements means reducing the risk of breaches, ensuring faster recovery from incidents, and strengthening trust with regulators, customers, and partners.

With AI-driven threats accelerating and global regulations already in effect, including the Digital Operational Resilience Act (DORA) in the EU and PCI DSS 4.0 across payment environments, financial institutions face a new era where compliance is continuous, monitored and interconnected.

One Month Left: Time to Take Action

The countdown is on. With only weeks remaining before November 1, CISOs must act decisively. The cost of delay is too great: regulatory exposure, reputational damage, and increased cyber risk – just to name a few.

This Cybersecurity Awareness Month, don’t let your mission-critical systems become your weakest link.

To support CISOs and security leaders in navigating these requirements, Rocket Software has a readiness checklist to help you achieve and maintain compliance with confidence.

This blog post is for informational purposes only and does not constitute legal advice.