New York State Department of Financial Services Effective March 1, 2017 · Amended November 2023 23 NYCRR Part 500
Cybersecurity Requirements for Financial Services Companies
NYDFS
§500
The most aggressively enforced cybersecurity mandate in U.S. financial services
23 NYCRR Part 500 Interactive Compliance Reference ⚠ Enforcement Active Fines up to $30M issued · November 2025 Final Deadline Passed
Regulatory Framework

The regulation that made cybersecurity
a C-suite liability.

First enacted in March 2017, the NYDFS Cybersecurity Regulation (23 NYCRR Part 500) transformed cybersecurity compliance in financial services — and with its 2023 Second Amendment, made CEOs and CISOs personally accountable through mandatory dual-signature certification. Non-compliance now risks multi-million dollar fines, license revocation, and executive liability.

Applies to: Banks · Insurance Companies · Mortgage Brokers · Money Transmitters · All DFS-Regulated Entities
$30M
Largest Fine
Robinhood, 2022 · cybersecurity & compliance failures
72h
Reporting Window
Maximum time to notify DFS after a qualifying cybersecurity incident
23
Sections
Part 500 breaks down into 23 sections of specific obligations
Apr 15
Annual Deadline
Annual Certification of Compliance due every April 15th
5 yrs
Retention
All compliance documentation must be retained for five years
2
Signatures Required
CEO + CISO must co-sign annual certification under amended rules
Penalties
Standard Violation / Day $2,500
Reckless / Pattern $15,000
Knowing / Willful $75,000
Maximum Case Fine $30M+
Covered Entity Types
Banks
Insurers
Mortgage Lenders
Credit Unions
Money Transmitters
Check Cashers
Foreign Banks (NY)
Third-Party SPs
HMOs
Fintech Cos.
§
23 NYCRR Part 500
The 23 Sections — Interactive Reference

Click any section to expand requirements. Red = required for all · Gold = Class A additional · Gray = all entities

§500.01 Definitions All
Establishes the definitions that govern the entire regulation — including "Covered Entity," "Nonpublic Information," "Cybersecurity Event," "CISO," and "Authorized User." These definitions set the scope and applicability of all subsequent requirements.
Covered Entity = any DFS-licensed or registered organization
Nonpublic Information = personal, financial, and health data
Cybersecurity Event = any unauthorized access or disruption attempt
§500.02 Cybersecurity Program Required
Each covered entity must establish and maintain a cybersecurity program based on a risk assessment. The program must protect the confidentiality, integrity, and availability of Information Systems. It forms the backbone of all Part 500 obligations.
Written cybersecurity program required — risk-assessment based
Must protect confidentiality, integrity, and availability of systems
Program must be regularly updated to reflect threat landscape
Documented policies across 15 minimum topic areas (see §500.03)
§500.03 Cybersecurity Policy Required
Covered entities must implement written cybersecurity policies addressing at minimum 15 defined areas. Policies must be based on the risk assessment and reviewed/approved by senior governance at least annually.
Information security & data governance/classification
Asset inventory, access controls & identity management
Business continuity, disaster recovery planning
Systems/network security, monitoring & security awareness training
Vendor/third-party management, incident response & vulnerability management
§500.04 Chief Information Security Officer Required
Every covered entity must designate a qualified CISO responsible for overseeing and implementing the cybersecurity program. The CISO may be an employee, affiliate staff, or third-party provider — but the covered entity retains full compliance responsibility.
Qualified individual must be designated as CISO
CISO must report annually in writing to Board or senior governing body
CISO + CEO must co-sign annual certification under 2023 amendments
CISO may be outsourced but entity retains liability
§500.05 Penetration Testing & Vulnerability Assessments Required
Cybersecurity programs must include monitoring and testing calibrated to the entity's risk assessment. This codifies penetration testing as an enforceable obligation, not merely a best practice.
Penetration testing at least annually by qualified tester
Automated vulnerability scanning — cadence based on risk assessment
Manual review required for systems not covered by automated scans
Remediation timelines must be documented and tracked
§500.06 Audit Trail Required
Covered entities must maintain audit trails that detect and respond to cybersecurity events. Logs must be tamper-evident and retained to support investigation and forensic reconstruction of incidents.
Audit trail systems designed to detect and respond to cybersecurity events
Records retained for minimum 3 years (5 years for certification documentation)
Logs must be protected against retroactive alteration
§500.07 Access Privileges & Management Required
Entities must implement policies limiting access to systems and nonpublic information to authorized personnel only. Privileged access must be managed and reviewed, with particular scrutiny post-Second Amendment for Class A companies.
Least-privilege access policies required
Periodic user access reviews — at least annually
Class A: PAM (Privileged Access Management) solutions required
Disable or remove unnecessary accounts promptly
§500.12 Multi-Factor Authentication Required
MFA is universally required as of November 1, 2025. NYDFS has explicitly warned that push-based and SMS-based MFA are weak methods — phishing-resistant alternatives are strongly recommended. MFA failures have been cited in numerous enforcement actions.
MFA required for ALL users accessing ANY information system as of Nov 2025
Limited exemptions only for small entities meeting revenue/employee thresholds
Push-based MFA warned as insufficient — phishing-resistant recommended
Exceptions must be formally documented with compensating controls
§500.15 Encryption of Nonpublic Information Required
All nonpublic information — both in transit and at rest — must be encrypted using industry-standard methods. If encryption is infeasible in specific cases, compensating controls must be approved in writing by the CISO and reviewed annually.
Industry-standard encryption required in transit over external networks
Encryption at rest required — CISO can approve exceptions with compensating controls
CISO must review feasibility and compensating controls at least annually
§500.16 Incident Response Plan Required
A written incident response plan must be established and tested at least annually. The plan must define roles, communication protocols, remediation processes, and reporting obligations — including the 72-hour DFS notification requirement.
Written IRP required — tested at least annually
Must address internal processes, communication, and escalation
72-hour DFS notification for qualifying cybersecurity events
Plan must identify root cause analysis and remediation obligations
§500.17 Notices & Annual Certification Required
One of the most scrutinized requirements. Covered entities must file incident notifications within 72 hours AND submit an annual Certification of Material Compliance by April 15th — signed by both the CEO and CISO. Misrepresentation in certifications has driven multiple enforcement actions.
Notify DFS within 72 hours of determining a qualifying incident occurred
Annual Certification of Material Compliance due April 15th each year
Dual signature: CEO + CISO — creates personal executive liability
All supporting documentation retained for 5 years
§500.19 Exemptions (Small Business) All
Limited exemptions from certain requirements exist for small businesses — but core obligations remain. Entities must file a Notice of Exemption and still maintain a cybersecurity program, manage access, conduct risk assessments, and fulfill notification duties.
Fewer than 20 employees and contractors (entity + all affiliates)
Less than $7.5M gross annual revenue in NY (last 3 years)
Less than $15M in year-end total assets
Even exempt entities must comply with core program, MFA, and reporting
?
Compliance Scope Tool
Does Part 500 Apply to Your Organization?
Select your organization type to determine your compliance obligations
Standard Covered Entity
DFS-licensed bank, insurer, mortgage broker, credit union, or other regulated entity — under $20M revenue or under 2,000 employees
Class A Company
$20M+ NY revenue AND either 2,000+ employees OR $1B+ global revenue — most major financial institutions
Third-Party Service Provider
Technology vendor, cloud provider, or services company with access to a Covered Entity's systems or nonpublic information
Potential Small Business Exemption
Fewer than 20 employees, under $7.5M NY revenue, and under $15M total assets
Select an entity type →

Your compliance obligations will appear here.

§500.17(a) — Incident Response Obligation
The 72-Hour Notification Clock
Time remaining from the moment a qualifying cybersecurity incident is determined
72
Hours
00
Minutes
00
Seconds
Notification window not yet started
!
§500.20 — Real Consequences
Notable NYDFS Enforcement Actions
Company Year Penalty Incident Summary Key Violation
Robinhood 2022 $30M Multiple cybersecurity and compliance program failures across consumer-facing operations Program FailuresBSA Compliance
EyeMed Vision Care 2022 $4.5M Phishing attack compromised email mailbox containing NPI on 1.3M+ individuals; delayed breach notification Delayed NotificationAccess Controls
PayPal 2022 $2M Multi-factor authentication and access control weaknesses exposed customer accounts MFA FailuresAccess Management
First American Title Insurance 2021 $1.05M Vulnerability in public-facing app exposed 880M documents including sensitive financial records Known Risk Not Remediated
OneMain Financial 2023 $4.25M Secure coding training failures and vulnerability management gaps across lending operations Vulnerability Mgmt.Training Failures

Note: DFS maintains a live Enforcement Actions Portal at dfs.ny.gov. Enforcement increasingly targets operational failures, not merely documentation gaps. Even governance failures — absence of a functional CISO, board-level reporting failures — result in significant penalties.

A
Tiered Compliance Framework
Small Business Exemption vs. Standard vs. Class A
Small Business Exemption
<20 employees · <$7.5M NY revenue · <$15M assets
Cybersecurity program & policy required
Access privilege management
Risk assessments required
MFA (with limited exemption threshold)
72-hour incident notification
Annual certification filing
CISO designation
Penetration testing mandate
Independent audit
Third-party vendor oversight program
Standard Covered Entity
Most DFS-licensed institutions
Full cybersecurity program & policy
Designated CISO (may be outsourced)
Annual penetration testing
Universal MFA (Nov 2025)
72-hour incident notification
CEO + CISO dual-signature certification
Encryption (transit & at rest)
Third-party vendor management policies
Independent audit (standard entities)
PAM/EDR mandated solutions
Class A Company
$20M+ NY rev + 2,000 employees OR $1B+ global
All Standard Covered Entity requirements
Annual independent cybersecurity audit
Privileged Access Management (PAM) solution
Endpoint Detection & Response (EDR) system
Automated method to block commonly used passwords
Enhanced monitoring of privileged account activity
Stricter access review cadence for privileged users
Third-party provider self-attestation insufficient — full due diligence required