What NYDFS Cybersecurity Updates Mean for E&S Cyber Wholesalers: July 2025 Recap

Written By Fabio Faschi

The New York Department of Financial Services (NYDFS) continues its phased rollout of the amended Cybersecurity Regulation (23 NYCRR Part 500), with new requirements set to take effect this November. While much of the regulatory language targets Covered Entities—such as insurers, banks, and financial services companies—these updates carry real operational and compliance implications for E&S cyber wholesalers and the broader surplus lines market.

Here’s a breakdown of the latest changes and why they matter for our sector.

Enhanced MFA & Asset Inventory Requirements – Effective November 1, 2025

The biggest regulatory shift on the horizon is the mandatory implementation of enhanced Multi-Factor Authentication (MFA) across all information systems. This applies to nearly every category of Covered Entity unless fully exempt, including those qualifying as small businesses.

In tandem, Section 500.13(a) will require entities to maintain a comprehensive asset inventory—tracking details like system owner, location, and role in managing NPI (Nonpublic Information).

What This Means for Cyber Wholesalers:

  • Underwriters and brokers should expect increased scrutiny from insureds and retail agents on MFA and asset inventory practices, especially for risks domiciled in or operating within New York.

  • Submissions may need to include confirmation of compliance with asset tracking procedures and MFA implementation, especially for larger accounts and tech-heavy insureds.

  • Expect rising demand for cyber risk management support tools and services, particularly those that can assist small-to-mid-sized clients in complying with these mandates.

DFS Guidance on Global Conflict Cyber Threats

DFS issued a special advisory on June 23, 2025, warning that ongoing global conflicts are increasing the threat level for cyberattacks. The Department emphasized compliance with U.S. sanctions and cybersecurity protocols, particularly for entities handling sensitive virtual currency operations.

Implications for Wholesalers:

  • Risk appetite may tighten for sectors linked to virtual assets, global logistics, or high-risk regions.

  • Cyber wholesalers should collaborate with markets to ensure emerging threat intelligence and geopolitical cyber risk exposure are built into underwriting guidelines.

  • Consider embedding updated threat posture questionnaires in broker submissions for more accurate quoting and policy language alignment.

Consumer Alert on Virtual Currency Phishing Scams

DFS also published a consumer alert warning about social engineering attacks targeting virtual currency users. Bad actors are impersonating service providers using stolen personal information—SSNs, IDs, and account numbers—to trick victims into disclosing credentials or transferring funds.

Key Takeaway:

  • Wholesalers placing coverage for crypto platforms, digital wallets, or fintechs must assess how these clients handle social engineering and impersonation attacks.

  • Expect underwriters to probe further into internal controls, especially how platforms handle outbound communication, fraud detection, and KYC protocols.

Annual Compliance Submission Reminder

As of April 15, 2025, Covered Entities were required to submit their Annual Certification of Material Compliance or Acknowledgement of Noncompliance. New sections that became effective May 1, 2025, now impose stricter standards around:

  • Access privilege management (Section 500.7)

  • Vulnerability management (Section 500.5(a)(2))

  • Malware defense (Section 500.14(a)(2))

  • Anomalous activity monitoring for Class A companies (Section 500.14(b))

What to Expect:

  • Retail brokers and insureds may require clarification on their classification (Class A vs. Standard vs. Small Business) and how it affects their obligations.

  • E&S wholesalers need to understand these definitions to ensure accurate guidance and avoid errors & omissions exposure when advising on cyber risk transfer.

The Takeaway: Prepare, Don’t React

These updates reinforce a broader trend: Cybersecurity regulation is no longer optional or static. It’s dynamic, growing in complexity, and increasingly tied to underwriting and compliance workflows.

For E&S wholesalers specializing in cyber:

  • Stay educated on evolving state-level regulations like NYDFS Part 500.

  • Embed regulatory awareness into your application supplements and risk assessment frameworks.

  • Partner with underwriters and vendors who understand how to bridge the gap between compliance, underwriting, and real-world risk.

If you’re not yet helping your retail partners and insureds understand how to operationalize regulatory compliance into their cyber risk strategy, now is the time to start.

Need help tailoring your submission language to meet NYDFS expectations? Let’s talk. Wholesalers who adapt quickly will be the ones who win business in a more regulated—and risk-exposed—cyber landscape.

Fabio Faschi
Next

InsureTech 3.0