New York DFS Cybersecurity Regulation: Key 2025 Deadlines Approaching

Covered entities must submit their annual compliance notifications for 2024 by April 15. Plus, new security measures are being introduced May 1.

03/11/2025 4:05 P.M.

2 minute read

The New York Department of Financial Services (NY DFS) is preparing covered entities for significant cybersecurity compliance deadlines in 2025, with new requirements rolling out through the first half of the year.

Here are two major DFS deadlines you need to know:

• Annual Compliance Submissions: Beginning April 15, 2025, covered entities must submit their annual compliance notifications for the 2024 calendar year. Organizations can choose between filing a Certification of Material Compliance or an Acknowledgement of Noncompliance through the NY DFS portal. While fully exempt entities are not required to submit these notifications, those with limited exemptions must still comply with the annual filing requirement.
• New Security Requirements: Starting May 1, 2025, the NY DFS is introducing enhanced security measures across different entity classifications. All covered entities will need to strengthen their access privilege management systems, including regular review of user access, securing remote control protocols, and establishing comprehensive written password policies.
  • Requirements for Class A and Standard entities: These entities must include the implementation of automated vulnerability scanning systems and enhanced protection against malicious code.
  • Class A entities only: In particular, Class A entities must meet heightened security standards by deploying endpoint detection and response solutions, along with centralized logging and security event alerting systems.

Available Resources

To facilitate smooth implementation of these new requirements, the DFS has launched a series of video refreshers covering essential aspects of the regulation. These resources address key topics such as multi-factor authentication, cybersecurity awareness training, and encryption requirements.

Entities seeking detailed guidance, exemption information, or compliance filing instructions can visit the Cybersecurity Resource Center.

ACA’s Cybersecurity Resources

• The Cybersecurity Collective connects you to fellow cybersecurity enthusiasts in our private LinkedIn group, where you can ask questions and keep up with the latest security insights. Visit ACA’s Cybersecurity Collective page and agree to the terms of participation to sign up.
• Collectors Insurance Agency (CIA), a subsidiary of ACA, recently announced a new partnership with leading cyber insurance provider Coalition to help ACA’s member companies proactively reduce their cyber risk. The partnership provides CIA customers with direct access to Coalition’s industry-leading cyber risk management platform, Coalition Control, which helps clients detect, assess, and mitigate cyber threats throughout the life of a cyber insurance policy.
• ACA’s 2025 Cybersecurity & Risk Forum, March 31-April 2 in Austin, Texas, is the perfect opportunity to transform your security resolutions into actionable strategies. Register for the 2025 Cybersecurity & Risk Forum here.