New York’s Latest Cyber Rules Pressure Small Companies, Vendors

As another cybersecurity compliance deadline hits in New York, the impact may be most deeply felt by smaller companies—as well as vendors and other businesses outside the financial sector that technically aren’t within scope of the regulation.

The New York Department of Financial Services’ (NYDFS) latest Cybersecurity Regulation amendments go into effect Thursday for financial, banking, and insurance entities, and they’re among the most technical and granular requirements yet.

Some of the amendments call for mature in-house cyber teams, reliable third-party vendor solutions, as well as technology and process investments, cyber attorneys said. While most big companies have a head-start on compliance, many smaller businesses and vendors to the largest companies face a more uphill implementation.

Companies that aren’t in scope, for example, but that sell products to covered entities may soon be contractually expected to follow similar, stringent standards. Smaller businesses, such as insurance producers or agents, that recently registered in the state, may also be surprised to find themselves pressed to comply with the most comprehensive state cyber requirements in the US.

“This set is some of the more technical set—and perhaps that’s why companies were given more time to deal with them,” said Michael T. Borgia, lead of Davis Wright Tremaine LLP’s information security group in the technology, communications, and privacy and security practice.

NYDFS’s cybersecurity rules have been rolled out in phases since they were updated in 2023. Cybersecurity requirements going into effect May 1 largely solidify security industry standards—but they also bolster the leading state cyber regulator’s enforcement ammunition.

Despite their somewhat limited jurisdiction, “they see their charge as bigger—as having a real effect on the financial services industry writ large,” said Borgia, who represents clients in telecommunications, financial services, cloud computing, and information technology sectors.

Some companies have already flagged concerns over New York’s heightened regulations.

Chubb Ltd., which provides commercial and personal property insurance disclosed in February that NYDFS’s cyber rule increased its compliance costs and “could increase the risk of noncompliance,” regulatory enforcement, and reputational risk. Financial services company Ally Financial Inc., health-care marketplace GoHealth Inc., and global banking group Santander Holdings USA, among others, also pointed to the regulator’s cyber rules this year as an area of risk that increases the complexity and costs of operations.

To-Dos

The cybersecurity rule covers any person operating under, or required to operate under, a license, registration, accreditation, or similar authorization under the state’s Banking Law, the Insurance Law, or the Financial Services Law—a fairly large category that includes everything from health insurers to credit unions, foreign banks, and mortgage providers.

The NYDFS split requirements due before May 1 depending on company size. All covered entities need to conduct automated scans of their systems and manually review systems not covered by these scans to identify vulnerabilities. They also need to implement enhanced requirements around access privileges, controls to protect against malicious code, and a “reasonable” written password policy.

Businesses of all sizes also need to disable or securely configure protocols that permit remote control of devices—commonly used by IT help desks in many companies.

“This is really challenging, because this is a threat vector that cyber criminals use all the time,” said Michelle A. Reed, co-chair of Paul Hastings LLP’s data privacy and cybersecurity group, which has helped private equity and other investment firms implement the regulation.

Class A companies face additional demands. These are defined as businesses with more than $20 million in annual revenue in the last two years stemming from operations in the state, and that either have more than 2,000 employees or over $1 billion in annual revenue in the last two years from business operations beyond the state.

Those businesses will also have to implement endpoint detection and response solution to monitor suspicious activity, as well as a centralized solution to log security event alerts. These often require companies to purchase third-party solutions that they then have to deploy across their entire ecosystem.

“There’s a lot of work that is involved in executing these things,” Reed said, noting that many businesses started working on implementing these “many years” ago.

Large companies must also bolster access processes, including implementing a privileged access management (PAM) solution. The additional demands seek to address a trend of cyber criminals exploiting privileged users—meaning the select employees within companies that have access to certain sensitive accounts or data.

“All of these things cost money, and so now they’re saying, if you’re really a big player here, we are going to mandate that you have this,” Reed said.

Looking Ahead

The amendments come two weeks after covered entities were required for the first time to file attestations of compliance with most of the amendments. They will have to attest to their compliance—or non-compliance—with this batch of requirements in April 2026.

“Large mature organizations probably have the vast majority of these steps in place and if they don’t, they’ve been cutting corners,” said Erik Dullea, head of Husch Blackwell LLP’s cybersecurity group.

The next few weeks will bring another set of compliance hurdles.

Beginning Nov. 1 companies will have, among other requirements, to mandate the use of multi-factor authentication for all individuals accessing businesses’ information systems. Chief Information Security Officers (CISOs) will be able to advocate for alternative controls if they can show they’re reasonably “equivalent or more secure,” and those will have to be reviewed annually.

While many businesses already deploy some sort of multi-factor authentication system, many don’t yet require it. And most haven’t addressed how to handle customers who resist taking the extra security measure.

“That’s where it gets hard,” Borgia said, “and everyone struggles with it.”