Executive overview
The New York Department of Financial Services (DFS) strengthened its Cybersecurity Regulation (23 NYCRR Part 500) with the Second Amendment to the regulation. Since the final deadlines of May 1, 2025, and November 1, 2025, have now passed, these essential requirements are fully enforceable.
For large "Class A" entities, Privileged Access Management (PAM) became legally required as of May 1, 2025. Now, nearly all users must now use Multi-Factor Authentication (MFA) as of November 1, 2025.
Broadly, the amendment requires MFA to protect all access to systems and sensitive data, with privileged accounts being strictly limited, centrally controlled, and continuously monitored. Non-compliance can lead to regulatory fines, operational disruptions, and damage to reputation. Executives are personally responsible, and the CISO along with the highest-ranking officer must certify compliance annually.
What are the implications of not adopting the 23 NYCRR Part 500 regulation?
The graphic above shows a timeline for adopting the second amendment. The superintendent will enforce this regulation, and failure to comply with the regulation is a violation that may result in penalties.
The rest of this blog focuses on the technical aspects of the regulation and how Delinea's Privileged Access Management (PAM) solutions assist you in complying, with emphasis on Privileged Elevation and Delegation Management (PEDM) features.
Technical details: PAM requirements in Part 500
The core of the Second Amendment's Identity Security is Section 500.7 (Access Controls) and Section 500.12 (MFA).
As of May 1, 2025, PAM requirements are mandatory for Class A companies. This includes:
- Implementing a formal PAM solution
- Restricting privileged accounts to a least-privilege basis
- Reviewing all user access annually
Starting November 1, 2025, the MFA mandate is fully in effect, requiring MFA for nearly anyone accessing any information system. When MFA is impractical, the CISO may approve compensating controls in writing, which are reviewed annually, emphasizing that exceptions are tightly limited.
Section 500.7 goes further by requiring a formal PAM program. Covered entities must enforce least privilege, limit privileged accounts and functions to what is strictly necessary, and review access privileges at least annually. Class A companies must also implement a PAM solution and monitor privileged activity, which includes logging, auditing, and detecting anomalies.
These requirements underscore why PAM is not merely a best practice, but a regulatory baseline. Privileged accounts hold the keys to critical systems and sensitive data. If left unmanaged, they create the ransomware, insider abuse, and credential theft risks that DFS designed Part 500 to prevent. A PAM program directly addresses these risks by enforcing access control, maintaining auditable logs, enabling rapid incident response, and reducing the attack surface through just-in-time access.
How Delinea PEDM supports compliance
Server Suite and Privilege Control for Servers (PCS)
Delinea's Privilege Control for Servers and Server Suite provide host-level enforcement consistent with Part 500. They implement MFA during login and privilege elevation, eliminate standing administrator rights by granting just-in-time access, apply granular policies across Windows and Unix/Linux servers, and deliver comprehensive session auditing and recording.
Integration with the Delinea Platform
When extended into the Delinea Platform, these controls become even more powerful. Privileged sessions can be recorded and securely stored in the cloud, providing a reliable audit trail for regulators and internal investigations. Centralized auditing and reporting consolidate activity across environments.
Delinea Iris AI adds automated analysis of session recordings, surfacing anomalous activity and evidence-based insights for faster incident response. Policies and enforcement scale consistently across hybrid and multi-cloud environments, ensuring privileged access is governed everywhere workloads run.
Enforcing MFA at depth
MFA is a best practice for reducing risk and ensuring compliance overall. The image highlights four key points where you must enforce MFA to verify user identity before accessing critical systems.
Most organizations with a credential vault implement MFA when a user accesses the vaulted credential (1) needed to log in to a server, but they usually stop at that point. Once the credential is used to start a remote login session (2), an MFA option should be available at session initiation. Note this control is applied at the vault or proxy level, not at the server level.
A third layer of MFA control must be implemented at the server level (3). This provides protection if the vault's MFA controls are bypassed, such as through direct server login or server-to-server lateral movement. Finally, MFA is also required for privilege elevation (4), which is necessary when granting just-in-time elevated permissions to run a privileged application or command.
NY CRR Part 500, especially Section 500.12, requires MFA for all privileged accounts except non-interactive service accounts. This rule mandates enforcing MFA directly at the server level (3 and 4), securing the identity exactly at the point of privilege use. Consequently, relying only on vault-initiated MFA (1 and 2) does not meet compliance.
Mapping Part 500 requirements to Delinea PEDM
Aligning regulation directly with technology helps compliance teams prioritize. The table below shows how Delinea Server Suite, PCS, and the Delinea Platform support the key PAM-related 23 NYCRR Part 500 provisions.
| Requirement | Description1 |
| Section 500.2 – Cybersecurity Program | Covered entities must maintain a risk-based cybersecurity program to protect the confidentiality, integrity, and availability of systems and data. |
| How Delinea helps | |
| PCS & Server Suite enforce privileged access controls as part of a risk-based program. Delinea Platform provides centralized visibility, reporting, and governance that demonstrates alignment with regulatory expectations. | |
| Requirement | Description1 |
| Section 500.3 – Cybersecurity Policy | Written cybersecurity policies must cover access controls, identity management, and related areas. |
| How Delinea helps | |
| PCS & Server Suite supply enforceable controls that can be documented in policy. Delinea Platform centralizes governance, making it easier to show evidence of policies in action. | |
| Requirement | Description1 |
| Section 500.4 – Cybersecurity Governance | The CISO must report on the program's effectiveness, risks, and incidents to senior leadership. |
| How Delinea helps | |
| Delinea Platform delivers dashboards, reports, and audit trails from PCS and Server Suite, giving CISOs the data needed for board-level reporting. | |
| Requirement | Description1 |
| Section 500.5 – Vulnerability Management | Covered entities must conduct penetration testing and vulnerability scans. |
| How Delinea helps | |
| While not a scanning tool, PCS & Server Suite reduce exploitable attack surfaces by eliminating standing privileges. Delinea Platform audit logs can support red-team/pen-test validation. | |
| Requirement | Description1 |
| Section 500.6 – Audit Trail | Audit trails must reconstruct transactions and detect/respond to cyber events. |
| How Delinea helps | |
| PCS & Server Suite log privileged activity down to commands and sessions. Delinea Platform stores these securely in the cloud and integrates with SIEMs for analysis. | |
| Requirement | Description1 |
| Section 500.7 – Access Privileges and Management | Class A companies must implement PAM, enforce least privilege, monitor privileged accounts, and block weak passwords. |
| How Delinea helps | |
| PCS & Server Suite enforce least privilege, MFA at login/elevation, and just-in-time access. Delinea Platform records sessions, provides cloud audit storage, and enforces modern authentication controls. | |
| Requirement | Description1 |
| Section 500.11 – Third-Party Service Provider Security Policy | Covered entities must implement policies to ensure third-party providers meet minimum cybersecurity standards. |
| How Delinea helps | |
| Delinea Platform extends session monitoring to vendor/contractor access via PCS and Server Suite, providing oversight and auditability of third-party privileged sessions. | |
| Requirement | Description1 |
| Section 500.12 – Multi-Factor Authentication | MFA required for internal systems, third-party/cloud apps with NPI, and all privileged accounts. Exceptions require CISO approval. |
| How Delinea helps | |
| PCS & Server Suite enforce MFA for privileged logins and privilege elevation. Delinea Platform supports modern MFA integrations (cloud authenticators, adaptive access policies). | |
| Requirement | Description1 |
| Section 500.14 – Monitoring and Training | Covered entities must monitor user activity and detect unauthorized access; Class A must implement centralized logging and EDR. |
| How Delinea helps | |
| PCS & Server Suite monitor privileged sessions and record user commands. Delinea Platform centralizes session logs, supports cloud retention, and integrates with EDR/SIEM for anomaly detection. | |
| Requirement | Description1 |
| Section 500.16 – Incident Response and Business Continuity | Entities must maintain incident response and recovery plans to address cybersecurity events. |
| How Delinea helps | |
| PCS & Server Suite support rapid privilege revocation and isolation of compromised accounts. Delinea Platform provides audit evidence and session recordings for post-incident analysis and reporting. | |
| Requirement | Description1 |
| Section 500.17 – Notices to Superintendent | Covered entities must notify DFS within 72 hours of a material cybersecurity event |
| How Delinea helps | |
| Delinea Platform's centralized audit logs and cloud-stored recordings help CISOs investigate incidents quickly and provide supporting evidence for DFS notifications. | |
| 1 These descriptions have been simplified for the mapping table. For exact language, refer to: https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf | |
Why this matters
The potential consequences of non-compliance are clear: regulatory action, reputational damage, and operational disruptions. DFS has formalized what practitioners already knew: that privileged accounts are the primary target in cyberattacks and managing them correctly is essential.
By requiring MFA everywhere and a formal PAM program for Class A companies, Part 500 establishes a new baseline for cybersecurity due diligence. PAM is no longer optional or aspirational; it is now a requirement.
The post-deadline reality
The planning phase is complete. Executives must now ensure that the Identity Security requirements are deployed and functioning as part of a fully governed program:
- PAM Compliance (Class A): Confirm the formal PAM solution is fully operational, privileged access activity is monitored, and annual reviews are documented.
- Universal MFA: Technical teams must ensure MFA is enforced for every individual accessing any system, not just remote or privileged accounts. Phishing-resistant MFA methods are strongly recommended by the DFS.
- Organizations can meet these immediate regulatory obligations with PCS, Server Suite, and the Delinea Platform while strengthening real-world security posture against the identity-based attacks the DFS is focused on eliminating.
For more information on how you can meet Part 500 compliance, reach out to us at Delinea for a conversation.
