Regulatory Reference
NYDFS 23 NYCRR 500: What Financial Services Companies Must Do
New York’s cybersecurity regulation applies to every company licensed by the Department of Financial Services — banks, insurers, agencies, and other licensees. This page compiles each requirement of Part 500, as amended in November 2023, with the exact regulation text, compliance deadlines, and source documents in one place.
By Brian Edelman, Founder & CEO, FCI Cyber · Last updated: July 2026
New York’s 23 NYCRR Part 500 requires DFS-licensed financial services companies to maintain a risk-based cybersecurity program: a designated CISO, annual penetration testing, multi-factor authentication, third-party vendor policies, incident response and BCDR plans, 72-hour incident notification to DFS, and an annual certification of material compliance — with amended requirements phased in through November 2025.
Related: Compliance Readiness · User Security · AI Regulatory Guidance
Summary
What Part 500 Requires at a Glance
Eight obligations run through the regulation. Every covered entity must be able to show — not just assert — that each one is in place.
A cybersecurity program built on a documented risk assessment, protecting the confidentiality, integrity, and availability of information systems and nonpublic information (§§ 500.2, 500.9).
A written cybersecurity policy approved at least annually by a senior officer or the senior governing body, covering 15 mandated areas from data governance to vulnerability management (§ 500.3).
A designated, qualified CISO who reports in writing to the board at least annually — and a board that exercises documented oversight of cyber risk (§ 500.4).
Multi-factor authentication for any individual accessing any information system, access privilege limits, encryption of nonpublic information, and email/web filtering (§§ 500.7, 500.12, 500.14, 500.15).
Annual penetration testing from inside and outside the network, automated vulnerability scans, and timely risk-prioritized remediation (§ 500.5).
Written policies ensuring the security of systems and data accessible to or held by third-party service providers, with due diligence and periodic reassessment (§ 500.11).
Written incident response and business continuity/disaster recovery plans, tested at least annually with critical staff, backed by protected backups (§ 500.16).
72-hour notice of cybersecurity incidents, 24-hour notice of extortion payments, and an annual certification of material compliance signed by the highest-ranking executive and the CISO (§ 500.17).
Part 500 applies to any organization that holds a New York DFS license, registration, or charter — banks and trust companies, insurance companies, insurance agents and brokers, mortgage lenders and servicers, licensed lenders, money transmitters, and virtual currency businesses. The 2023 amendment made explicit that being regulated by another agency (such as the SEC or FINRA) does not remove the obligation.
Smaller firms qualify for a limited exemption. The amendment raised the thresholds:
Exempt firms are still required to maintain a cybersecurity program (§ 500.2) and written policy (§ 500.3), conduct risk assessments (§ 500.9), oversee third-party service providers (§ 500.11), use multi-factor authentication for remote access and privileged accounts (§ 500.12), limit access privileges (§ 500.7), report cybersecurity incidents within 72 hours, and certify compliance annually (§ 500.17). A Notice of Exemption must be filed electronically within 30 days of determining the exemption applies.
The policy must be based on the firm’s risk assessment and address, at a minimum, 15 areas — including information security; data governance, classification and retention; asset inventory, device management and end of life management; access controls including remote access; business continuity; systems and network security and monitoring; security awareness and training; vendor and third-party service provider management; incident response and notification; and vulnerability management.
Every covered entity must designate a CISO — defined as “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be employed by the firm, an affiliate, or a third-party service provider, but the firm retains responsibility for compliance.
The amendment also redefined “risk assessment” itself: “the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations … resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.”
The amendment retitled this section from “penetration testing and vulnerability assessments” to “vulnerability management” and requires written policies and procedures designed to ensure that covered entities conduct, at a minimum:
The amended MFA requirement is one of the most consequential changes. MFA is no longer limited to remote access from external networks:
Covered entities must monitor authorized-user activity to “detect unauthorized access or use of, or tampering with, nonpublic information,” and the amendment added an explicit email and web filtering control:
The policies must be based on the risk assessment and address: identification and risk assessment of third-party service providers; minimum cybersecurity practices required for them to do business with the firm; due diligence processes to evaluate the adequacy of their cybersecurity practices; and periodic reassessment based on the risk they present. Guidelines must also cover the provider’s use of MFA and encryption, notice obligations for cybersecurity events, and representations and warranties.
The amendment expanded this section from an incident response plan into full operational resilience:
Incident response plans must explicitly address disruptive events such as ransomware, recovery from backups, and root cause analysis. Plans must be tested at least annually with all critical staff and management, the ability to restore critical data and systems from backups must be tested at least annually, and “each covered entity shall maintain backups necessary to restore material operations” that are “adequately protected from unauthorized alterations or destruction.”
A reportable “cybersecurity incident” is a cybersecurity event that (1) requires notice to any government body, self-regulatory agency, or other supervisory body; (2) has a reasonable likelihood of materially harming any material part of normal operations; or (3) results in the deployment of ransomware within a material part of the firm’s information systems. Firms have “a continuing obligation to update the superintendent with material changes or new information previously unavailable.”
Every year, each covered entity must file one of two things with DFS: a certification of material compliance, or a written acknowledgment of noncompliance identifying every section not materially complied with, plus a remediation timeline.
The amendment created a “Class A” tier: covered entities with at least $20 million in gross annual revenue (in each of the last two fiscal years, from all operations of the entity plus New York operations of affiliates) and either over 2,000 employees or over $1 billion in gross annual revenue including all affiliates. On top of everything above, Class A companies must:
Class A companies must also monitor privileged access activity, implement a privileged access management solution, and deploy an automated method of blocking commonly used passwords (§ 500.7(c)).
DFS adopted the Second Amendment on November 1, 2023 and staggered compliance over two years. All transition periods have now passed — every amended requirement is fully enforceable.
| Deadline | Requirements |
|---|---|
| December 1, 2023 | § 500.17 — 72-hour incident notices, extortion payment notices, revised annual certification |
| April 29, 2024 | All other amended requirements (default 180-day transition), including §§ 500.2, 500.3, 500.5(a)(1), 500.9, 500.14(a)(3) |
| November 1, 2024 | § 500.4 (CISO & board oversight), § 500.15 (encryption), § 500.16 (IR & BCDR), § 500.19(a) (new exemption thresholds) |
| May 1, 2025 | § 500.5(a)(2) (automated scans), § 500.7 (access privileges & password controls), § 500.14(a)(2) (email/web filtering), § 500.14(b) (Class A EDR & logging) |
| November 1, 2025 | § 500.12 (expanded MFA), § 500.13(a) (asset inventory) |
Reference
Source Documents
| Source | Document | Date |
|---|---|---|
| NYDFS | Second Amendment to 23 NYCRR 500 — Adopted Text (PDF) | Nov 2023 |
| NYDFS | Cybersecurity Resource Center (deadlines, filings, FAQs) | Ongoing |
| NYDFS | Press Release: Adoption of the Amended Cybersecurity Regulation | Nov 2023 |
| NYDFS | Industry Letter: Cybersecurity Risks Arising from AI (how Part 500 applies to AI) | Oct 2024 |
Implement and Evidence These Controls
FCI provides managed cybersecurity built for DFS-regulated financial services firms — implementing the controls Part 500 requires and producing the documentation that examinations and the annual certification depend on.