On November 1, NYDFS’ expanded requirements for multi-factor authentication (MFA) and IT asset management went into effect, as part of the NYDFS’ Second Amendment to the Cybersecurity Regulation (Part 500). Details regarding the Cybersecurity Regulation are available on the state’s Cybersecurity Resource Center.

Notably, the new requirements now expand MFA coverage to “any individual accessing any information systems of a covered entity,” unless an exemption applies. Furthermore, covered entities are now required to implement policies and procedures for IT asset management that address, in part, the tracking of specific data elements for each IT asset (including locations, end-of-service life dates, and recovery time objectives) and “the frequency required to update and validate” the asset inventory.

The asset management requirement applies regardless of whether a covered entity has obtained a limited exemption under Section 500.19(a).