The New York Department of Financial Services (NY DFS) has updated its Cybersecurity Regulation (23 NYCRR 500), with new identity-related requirements taking effect on May 1, 2025. These updates are designed to strengthen how financial institutions manage user access in modern, cloud-first environments.
This regulation pushes for tighter control over who can access systems, what they can do with that access, and how that access is managed. The changes impact all covered entities unless they qualify for a full exemption.
Below we align the requirements for organizations who must prepare to implement enhanced access controls to limit user privileges in the cloud.
The amended regulation introduces a set of identity and access management (IAM) requirements that aim to minimize unauthorized access, reduce risk exposure, and enforce accountability in the cloud.
Over 90% of cloud identities in a typical financial services environment are over-permissioned, meaning they have access to more resources than necessary for their job function, posing significant risk.
Key elements include:
These critical issues are not just technical problems—they are also compliance and risk liabilities.
How to Prepare: A Phased Approach
To comply with these new rules and reduce risk, financial institutions should take a structured, phased approach:
Start by identifying all users, roles, service accounts, and permissions across your cloud environments, and map all human and non-human identities. Visibility will also help detect shadow accounts and third-party access.
Reduce permissions sprawl including unused access and excessive privileges. Apply least privilege principles and continuously monitor for drift.
Grant privileged access only when needed, with auto-expiration to provide temporary, time-bound access. This limits risk exposure without slowing down operations.
Automate access reviews, certifications, and policy enforcement using identity governance tools. Define clear ownership of access decisions and ensure accountability.
Enforce MFA everywhere, especially for privileged and remote access. Consider moving toward passwordless solutions for higher assurance.
The upcoming NY DFS 2025 requirements highlight the need for a more mature, security-first approach to identity in the cloud to ensure financial institutions tightly control and monitor user access to sensitive systems. By enforcing stricter identity and access management practices, the regulation aims to reduce the risk of unauthorized access, data breaches, and operational vulnerabilities.
Andromeda Security helps financial institutions meet your identity security goals and move closer to zero trust principles. Our comprehensive solution leverages AI and your identity data to provide real-time context, behavioral analytics, and risk signals to deliver comprehensive visibility and actionable operational insights, automated anomaly remediation, dynamic permission rightsizing, contextual JIT, and streamlined user access reviews.
The New York Department of Financial Services (NY DFS) has updated its Cybersecurity Regulation (23 NYCRR 500), with new identity-related requirements taking effect on May 1, 2025. These updates are designed to strengthen how financial institutions manage user access in modern, cloud-first environments.
This regulation pushes for tighter control over who can access systems, what they can do with that access, and how that access is managed. The changes impact all covered entities unless they qualify for a full exemption.
Below we align the requirements for organizations who must prepare to implement enhanced access controls to limit user privileges in the cloud.
The amended regulation introduces a set of identity and access management (IAM) requirements that aim to minimize unauthorized access, reduce risk exposure, and enforce accountability in the cloud.
Over 90% of cloud identities in a typical financial services environment are over-permissioned, meaning they have access to more resources than necessary for their job function, posing significant risk.
Key elements include:
These critical issues are not just technical problems—they are also compliance and risk liabilities.
How to Prepare: A Phased Approach
To comply with these new rules and reduce risk, financial institutions should take a structured, phased approach:
Start by identifying all users, roles, service accounts, and permissions across your cloud environments, and map all human and non-human identities. Visibility will also help detect shadow accounts and third-party access.
Reduce permissions sprawl including unused access and excessive privileges. Apply least privilege principles and continuously monitor for drift.
Grant privileged access only when needed, with auto-expiration to provide temporary, time-bound access. This limits risk exposure without slowing down operations.
Automate access reviews, certifications, and policy enforcement using identity governance tools. Define clear ownership of access decisions and ensure accountability.
Enforce MFA everywhere, especially for privileged and remote access. Consider moving toward passwordless solutions for higher assurance.
The upcoming NY DFS 2025 requirements highlight the need for a more mature, security-first approach to identity in the cloud to ensure financial institutions tightly control and monitor user access to sensitive systems. By enforcing stricter identity and access management practices, the regulation aims to reduce the risk of unauthorized access, data breaches, and operational vulnerabilities.
Andromeda Security helps financial institutions meet your identity security goals and move closer to zero trust principles. Our comprehensive solution leverages AI and your identity data to provide real-time context, behavioral analytics, and risk signals to deliver comprehensive visibility and actionable operational insights, automated anomaly remediation, dynamic permission rightsizing, contextual JIT, and streamlined user access reviews.
