Skip to main content

Back to Blog

NYDFS Cybersecurity Regulation: Automated Blocking of Commonly Used Passwords

Overview of the NYDFS Cybersecurity Regulation Update

On November 1, 2023, the New York Department of Financial Services (NYDFS) introduced its second amended Cybersecurity Regulation (23 NYCRR Part 500). The amendments, influenced by extensive public feedback, introduce several significant changes, including heightened cybersecurity requirements for large licensees known as “Class A Companies.” Compliance with these new requirements is mandated by April 29, 2024, with certain provisions having extended transition dates.

Focus: Automated Blocking of Commonly Used Passwords

One notable requirement is the implementation of an automated method to block commonly used passwords for all accounts on information systems owned or controlled by Class A Companies, and wherever feasible, for all other accounts. This measure is designed to enhance security by preventing the use of weak passwords that are easily exploitable by cyber attackers.

“Each class A company shall monitor privileged access activity and shall implement an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts.”

Who Must Adhere?

The automated password blocking requirement applies specifically to “Class A Companies.” According to the regulation, a Class A Company is a covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and either:

Over 2,000 employees on average over the last two fiscal years, including affiliates; or over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the entity and its affiliates.

Implementation and Enforcement Timeline

The requirement for automated password blocking became enforceable on April 29, 2024. Organizations who do not yet meet this requirement are encouraged to implement these measures as soon as possible to avoid penalties and make their environment secure.

Enforcement and Fines

The NYDFS has established stringent enforcement provisions for non-compliance with the cybersecurity regulation. Covered entities found to be non-compliant may face significant punishment, including financial fines. The exact amount of the fines can vary based on the severity of the non-compliance and the potential impact on the entity’s cybersecurity posture.

Detailed Requirements for Class A Companies

Each Class A Company must:

  • Automate Password Blocking: Implement an automated method to block commonly used passwords. This solution must be in place for all accounts on information systems owned or controlled by the Class A Company. If it is not feasible for certain accounts, the Chief Information Security Officer (CISO) must approve the infeasibility determination and ensure the use of reasonably equivalent or more secure compensating controls.
  • Monitor Compliance: The implementation and effectiveness of the password blocking solution should be monitored regularly. The CISO is responsible for ensuring the compliance and adequacy of these controls.
  • Regular Audits: Conduct regular audits to verify that the automated password blocking solution is functioning correctly and effectively preventing the use of weak passwords.

Compliance Strategies

To comply with this requirement in the easiest, most secure, and most cost-effective way, Class A Companies should consider using Enzoic for Active Directory:

Eliminate Compromised Passwords in Active Directory with Enzoic

Enzoic for Active Directory is an easy-to-install plugin that provides a frictionless way to identify, monitor, and remediate unsafe passwords. It offers a comprehensive solution for ensuring password security and compliance with the NYDFS regulation.

  • Automated Password Blocking: Enzoic for Active Directory ensures that new passwords comply with a configurable password policy every time a password is created. It blocks commonly used and compromised passwords automatically, enhancing security across your organization.
  • Continuous Monitoring: Credentials are continuously monitored against Enzoic’s active threat collection database. This ensures that any exposure is detected in real-time, keeping your password security up-to-date.
  • Automated Response: When a user’s information is detected in a data breach, Enzoic automates remediation with actions such as requiring a password reset or disabling the account, ensuring immediate response without additional administrative burden.
  • Real-Time Credential Protection: By screening username and password pairs at creation and monitoring them daily, Enzoic helps organizations stay ahead of potential threats and maintain a strong security posture.

Benefits of Enzoic for Active Directory

  • Time Savings for System Admins: System admins can operate efficiently with customization options and remediation controls that align with organizational needs.
  • Enhanced User Experience: End time-based password resets and reduce help desk calls by automatically responding to exposed credentials, impacting only those using unsafe passwords.
  • Easily Achieved Compliance: With Enzoic for Active Directory, compliance with NYDFS and many other requirements is achieved with minimal effort.

Get Started with Enzoic for Active Directory

Try Now: Eliminate commonly used and compromised passwords in your environment. Download and try free for up to 20 users.

Product Demo: Watch a full product demo to understand how Enzoic for Active Directory can help enhance security, save time, and reduce administrative costs.

Compliance and Peace of Mind

Enzoic for Active Directory is designed to meet current industry best practices and guidelines, providing continuous credential protection and ensuring compliance with the NYDFS Cybersecurity Regulation. Implementing Enzoic will give your organization the tools it needs to stay secure and compliant.

For more detailed guidance on compliance with the NYDFS Cybersecurity Regulation and to explore how Enzoic for Active Directory can benefit your organization, contact Enzoic today.




Josh Parsons

Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.