Regulatory Reference

NYDFS 23 NYCRR 500: What Financial Services Companies Must Do

New York’s cybersecurity regulation applies to every company licensed by the Department of Financial Services — banks, insurers, agencies, and other licensees. This page compiles each requirement of Part 500, as amended in November 2023, with the exact regulation text, compliance deadlines, and source documents in one place.

By Brian Edelman, Founder & CEO, FCI Cyber · Last updated: July 2026

New York’s 23 NYCRR Part 500 requires DFS-licensed financial services companies to maintain a risk-based cybersecurity program: a designated CISO, annual penetration testing, multi-factor authentication, third-party vendor policies, incident response and BCDR plans, 72-hour incident notification to DFS, and an annual certification of material compliance — with amended requirements phased in through November 2025.

Related: Compliance Readiness · User Security · AI Regulatory Guidance

Summary

What Part 500 Requires at a Glance

Eight obligations run through the regulation. Every covered entity must be able to show — not just assert — that each one is in place.

Risk-Based Program

A cybersecurity program built on a documented risk assessment, protecting the confidentiality, integrity, and availability of information systems and nonpublic information (§§ 500.2, 500.9).

Written Policy, Approved Annually

A written cybersecurity policy approved at least annually by a senior officer or the senior governing body, covering 15 mandated areas from data governance to vulnerability management (§ 500.3).

Accountable Leadership

A designated, qualified CISO who reports in writing to the board at least annually — and a board that exercises documented oversight of cyber risk (§ 500.4).

Technical Safeguards

Multi-factor authentication for any individual accessing any information system, access privilege limits, encryption of nonpublic information, and email/web filtering (§§ 500.7, 500.12, 500.14, 500.15).

Testing & Vulnerability Management

Annual penetration testing from inside and outside the network, automated vulnerability scans, and timely risk-prioritized remediation (§ 500.5).

Third-Party Oversight

Written policies ensuring the security of systems and data accessible to or held by third-party service providers, with due diligence and periodic reassessment (§ 500.11).

Resilience Planning

Written incident response and business continuity/disaster recovery plans, tested at least annually with critical staff, backed by protected backups (§ 500.16).

Reporting & Certification

72-hour notice of cybersecurity incidents, 24-hour notice of extortion payments, and an annual certification of material compliance signed by the highest-ranking executive and the CISO (§ 500.17).

Scope — Who Must Comply
§ 500.1(e) — In Force Since March 2017
Covered Entities: Every DFS Licensee

Part 500 applies to any organization that holds a New York DFS license, registration, or charter — banks and trust companies, insurance companies, insurance agents and brokers, mortgage lenders and servicers, licensed lenders, money transmitters, and virtual currency businesses. The 2023 amendment made explicit that being regulated by another agency (such as the SEC or FINRA) does not remove the obligation.

“Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” — 23 NYCRR § 500.1(e)
Key Takeaway: If your firm holds any DFS authorization, Part 500 applies — and DFS expects an annual electronic filing (certification or exemption notice) from every covered entity. Compliance with SEC, FINRA, or federal banking rules does not substitute.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.19 — Amended Thresholds Effective November 1, 2024
Limited Exemptions: Fewer Obligations, Not Zero

Smaller firms qualify for a limited exemption. The amendment raised the thresholds:

“Each covered entity with: (1) fewer than 20 employees and independent contractors of the covered entity and its affiliates; (2) less than $7,500,000 in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates; or (3) less than $15,000,000 in year-end total assets … shall be exempt from the requirements of sections 500.4, 500.5, 500.6, 500.8, 500.10, 500.14(a)(1), (a)(2), and (b), 500.15 and 500.16 of this Part.” — 23 NYCRR § 500.19(a)

Exempt firms are still required to maintain a cybersecurity program (§ 500.2) and written policy (§ 500.3), conduct risk assessments (§ 500.9), oversee third-party service providers (§ 500.11), use multi-factor authentication for remote access and privileged accounts (§ 500.12), limit access privileges (§ 500.7), report cybersecurity incidents within 72 hours, and certify compliance annually (§ 500.17). A Notice of Exemption must be filed electronically within 30 days of determining the exemption applies.

Key Takeaway: “Exempt” is a partial status — small firms must still evidence a program, policy, risk assessment, MFA on remote access, vendor oversight, incident reporting, and the annual filing. Firms that outgrow the thresholds have 180 days to comply in full.
23 NYCRR 500 — Adopted Amendment Text (PDF)
Program & Governance
§§ 500.2 & 500.3 — Amended Provisions Effective April 29, 2024
Cybersecurity Program & Written Policy
“Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems and nonpublic information stored on those information systems.” — 23 NYCRR § 500.2(a)
“Each covered entity shall implement and maintain a written policy or policies, approved at least annually by a senior officer or the covered entity’s senior governing body for the protection of its information systems and nonpublic information stored on those information systems. Procedures shall be developed, documented and implemented in accordance with the written policy or policies.” — 23 NYCRR § 500.3

The policy must be based on the firm’s risk assessment and address, at a minimum, 15 areas — including information security; data governance, classification and retention; asset inventory, device management and end of life management; access controls including remote access; business continuity; systems and network security and monitoring; security awareness and training; vendor and third-party service provider management; incident response and notification; and vulnerability management.

Key Takeaway: Examiners look for two artifacts: a program document traceable to the risk assessment, and a written policy with a dated approval by a senior officer or the board — renewed every year. Procedures must exist in writing, not just in practice.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.4 — Amended Provisions Effective November 1, 2024
CISO Requirement & Board Reporting

Every covered entity must designate a CISO — defined as “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be employed by the firm, an affiliate, or a third-party service provider, but the firm retains responsibility for compliance.

“The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity’s cybersecurity program, including to the extent applicable … plans for remediating material inadequacies.” — 23 NYCRR § 500.4(b)
“The senior governing body of the covered entity shall exercise oversight of the covered entity’s cybersecurity risk management, including by: (1) having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors.” — 23 NYCRR § 500.4(d)
Key Takeaway: Firms must evidence a named, qualified CISO; a written annual CISO report to the board covering risks, program effectiveness, material events, and remediation plans; and board records showing cyber oversight — including that management allocated sufficient resources.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.9 — Amended Provisions Effective April 29, 2024
Risk Assessments: The Foundation of Everything Else
“Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk.” — 23 NYCRR § 500.9(a)

The amendment also redefined “risk assessment” itself: “the process of identifying, estimating and prioritizing cybersecurity risks to organizational operations … resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses and consider mitigations provided by security controls planned or in place.”

Key Takeaway: The risk assessment is the document every other control is judged against — program design, policy scope, vendor requirements, and scan frequency all trace back to it. Firms must evidence an annual review date and updates after material business or technology changes.
23 NYCRR 500 — Adopted Amendment Text (PDF)
Controls & Testing
§ 500.5 — Scanning Requirement Effective May 1, 2025
Vulnerability Management & Penetration Testing

The amendment retitled this section from “penetration testing and vulnerability assessments” to “vulnerability management” and requires written policies and procedures designed to ensure that covered entities conduct, at a minimum:

“Penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party at least annually; and automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a frequency determined by the risk assessment, and promptly after any material system changes.” — 23 NYCRR § 500.5(a)
“Timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.” — 23 NYCRR § 500.5(c)
Key Takeaway: Firms must evidence an annual internal-and-external penetration test by a qualified party, scan reports at a risk-assessment-driven cadence, a monitoring process for new vulnerabilities, and remediation records showing risk-based prioritization.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.12 — Fully Effective November 1, 2025
Multi-Factor Authentication: Everyone, Every System

The amended MFA requirement is one of the most consequential changes. MFA is no longer limited to remote access from external networks:

“Multi-factor authentication shall be utilized for any individual accessing any information systems of a covered entity, unless the covered entity qualifies for a limited exemption pursuant to section 500.19(a) of this Part in which case multi-factor authentication shall be utilized for: (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (3) all privileged accounts other than service accounts that prohibit interactive login.” — 23 NYCRR § 500.12(a)
“If the covered entity has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls. Such controls shall be reviewed periodically, but at a minimum annually.” — 23 NYCRR § 500.12(b)
Key Takeaway: Since November 1, 2025, MFA must cover any individual accessing any information system — employees, contractors, and vendors, on-premises and in the cloud. The only alternative is a CISO-approved compensating control, documented in writing and re-reviewed annually.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.14 — Filtering Controls Effective May 1, 2025
Monitoring, Filtering & Security Awareness Training

Covered entities must monitor authorized-user activity to “detect unauthorized access or use of, or tampering with, nonpublic information,” and the amendment added an explicit email and web filtering control:

“Implement risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content.” — 23 NYCRR § 500.14(a)(2)
“Provide periodic, but at a minimum annual, cybersecurity awareness training that includes social engineering for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.” — 23 NYCRR § 500.14(a)(3)
Key Takeaway: Firms must evidence user-activity monitoring, deployed email and web filtering, and annual training records for all personnel — with training content that demonstrably covers social engineering and tracks the current risk assessment.
23 NYCRR 500 — Adopted Amendment Text (PDF)
Third Parties & Resilience
§ 500.11 — In Force Since March 2019
Third-Party Service Provider Security Policy
“Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers.” — 23 NYCRR § 500.11(a)

The policies must be based on the risk assessment and address: identification and risk assessment of third-party service providers; minimum cybersecurity practices required for them to do business with the firm; due diligence processes to evaluate the adequacy of their cybersecurity practices; and periodic reassessment based on the risk they present. Guidelines must also cover the provider’s use of MFA and encryption, notice obligations for cybersecurity events, and representations and warranties.

Key Takeaway: Firms must evidence a vendor inventory with risk ratings, documented due diligence before onboarding, contract clauses covering MFA, encryption, and breach notice, and a periodic reassessment schedule that is actually followed.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.16 — Amended Provisions Effective November 1, 2024
Incident Response & BCDR Planning

The amendment expanded this section from an incident response plan into full operational resilience:

“As part of its cybersecurity program, each covered entity shall establish written plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery plans.” — 23 NYCRR § 500.16(a)
“BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities.” — 23 NYCRR § 500.16(a)(2)

Incident response plans must explicitly address disruptive events such as ransomware, recovery from backups, and root cause analysis. Plans must be tested at least annually with all critical staff and management, the ability to restore critical data and systems from backups must be tested at least annually, and “each covered entity shall maintain backups necessary to restore material operations” that are “adequately protected from unauthorized alterations or destruction.”

Key Takeaway: Firms must evidence written IR and BCDR plans, annual tabletop or live tests with sign-in records for critical staff, documented backup-restoration tests, and protected (offline or immutable) backups sufficient to restore material operations.
23 NYCRR 500 — Adopted Amendment Text (PDF)
Reporting to DFS
§ 500.17(a), (c) — Effective December 1, 2023
72-Hour Incident Notice & Extortion Payment Reporting
“Each covered entity shall notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.” — 23 NYCRR § 500.17(a)(1)

A reportable “cybersecurity incident” is a cybersecurity event that (1) requires notice to any government body, self-regulatory agency, or other supervisory body; (2) has a reasonable likelihood of materially harming any material part of normal operations; or (3) results in the deployment of ransomware within a material part of the firm’s information systems. Firms have “a continuing obligation to update the superintendent with material changes or new information previously unavailable.”

“Each covered entity, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity, shall provide the superintendent … within 24 hours of the extortion payment, notice of the payment; and within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.” — 23 NYCRR § 500.17(c)
Key Takeaway: The 72-hour clock starts at determination, and it covers incidents at affiliates and third-party service providers — so firms must evidence an incident classification procedure, a DFS portal filing workflow, and vendor contracts that guarantee timely breach notice. Ransom payments trigger a separate 24-hour notice and 30-day written justification.
23 NYCRR 500 — Adopted Amendment Text (PDF)
§ 500.17(b) — Filed Annually by April 15
Annual Certification of Material Compliance

Every year, each covered entity must file one of two things with DFS: a certification of material compliance, or a written acknowledgment of noncompliance identifying every section not materially complied with, plus a remediation timeline.

“A written certification that: (a) certifies that the covered entity materially complied with the requirements set forth in this Part during the prior calendar year; and (b) shall be based upon data and documentation sufficient to accurately determine and demonstrate such material compliance.” — 23 NYCRR § 500.17(b)(1)
“Such certification or acknowledgment shall be submitted electronically in the form set forth on the department’s website and shall be signed by the covered entity’s highest-ranking executive and its CISO.” — 23 NYCRR § 500.17(b)(2)
Key Takeaway: The regulation makes evidence mandatory: the certification must rest on “data and documentation sufficient to accurately determine and demonstrate” compliance, both the CEO and CISO must sign personally, and all supporting records must be kept for five years and produced on request.
NYDFS Cybersecurity Resource Center
Enhanced Duties — Class A Companies
§§ 500.1(d), 500.2(c), 500.7(c), 500.14(b)
Class A Companies: The Largest Firms Carry Extra Obligations

The amendment created a “Class A” tier: covered entities with at least $20 million in gross annual revenue (in each of the last two fiscal years, from all operations of the entity plus New York operations of affiliates) and either over 2,000 employees or over $1 billion in gross annual revenue including all affiliates. On top of everything above, Class A companies must:

“Each class A company shall design and conduct independent audits of its cybersecurity program based on its risk assessment.” — 23 NYCRR § 500.2(c)
“Each class A company shall implement, unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls: (1) an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement; and (2) a solution that centralizes logging and security event alerting.” — 23 NYCRR § 500.14(b)

Class A companies must also monitor privileged access activity, implement a privileged access management solution, and deploy an automated method of blocking commonly used passwords (§ 500.7(c)).

Key Takeaway: Class A firms must evidence independent audits, EDR coverage, centralized logging/alerting, and privileged access management — and any deviation requires written CISO approval of compensating controls, renewed at least annually.
23 NYCRR 500 — Adopted Amendment Text (PDF)
Second Amendment — Phased Deadlines
§ 500.22 — Adopted November 1, 2023; Fully Phased In November 1, 2025
When Each Amended Requirement Took Effect

DFS adopted the Second Amendment on November 1, 2023 and staggered compliance over two years. All transition periods have now passed — every amended requirement is fully enforceable.

Deadline Requirements
December 1, 2023§ 500.17 — 72-hour incident notices, extortion payment notices, revised annual certification
April 29, 2024All other amended requirements (default 180-day transition), including §§ 500.2, 500.3, 500.5(a)(1), 500.9, 500.14(a)(3)
November 1, 2024§ 500.4 (CISO & board oversight), § 500.15 (encryption), § 500.16 (IR & BCDR), § 500.19(a) (new exemption thresholds)
May 1, 2025§ 500.5(a)(2) (automated scans), § 500.7 (access privileges & password controls), § 500.14(a)(2) (email/web filtering), § 500.14(b) (Class A EDR & logging)
November 1, 2025§ 500.12 (expanded MFA), § 500.13(a) (asset inventory)
Key Takeaway: As of November 1, 2025 there are no remaining grace periods. The April 15 certification now attests to a calendar year in which every amended control — including universal MFA and a complete asset inventory — was required to be in place and evidenced.
NYDFS Press Release — Amended Regulation Adopted

Implement and Evidence These Controls

FCI provides managed cybersecurity built for DFS-regulated financial services firms — implementing the controls Part 500 requires and producing the documentation that examinations and the annual certification depend on.