NY DFS 23 NYCRR 500 - What You Need to Know
23 NYCRR 500 is the New York Department of Financial Services (NY DFS) cybersecurity regulation — one of the most prescriptive cybersecurity mandates in the United States. If your organization holds a DFS license or is a DFS-regulated entity, compliance is not optional.
Who Does It Apply To?
The regulation applies to all entities operating under DFS licensure, registration, or charter, including:
- Banks and trust companies
- Insurance companies
- Mortgage brokers and lenders
- Money transmitters
- Licensed financial services companies
Third-party service providers to these entities are also indirectly in scope, as covered entities must ensure their vendors meet cybersecurity standards.
Core Requirements
Cybersecurity Program (Section 500.2)
Every covered entity must maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems. The program must be based on a risk assessment.
Cybersecurity Policy (Section 500.3)
A written policy approved by a senior officer or the board, covering:
- Information security
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery
- Systems and network security monitoring
- Incident response
- Third-party service provider security
Chief Information Security Officer (Section 500.4)
A qualified CISO must be designated to oversee and implement the cybersecurity program. The CISO can be employed by the entity, an affiliate, or a third-party provider — but accountability remains with the covered entity.
Penetration Testing and Vulnerability Assessments (Section 500.5)
The cybersecurity program must include monitoring and testing, developed in accordance with the risk assessment, including:
- Annual penetration testing
- Bi-annual vulnerability assessments
Access Privileges and Management (Section 500.7)
Limit access privileges to information systems that provide access to nonpublic information. Privileges must be periodically reviewed.
Risk Assessment (Section 500.9)
A periodic risk assessment must be conducted to inform the cybersecurity program. The assessment must be updated as reasonably necessary to address changes to the entity’s information systems, nonpublic information, or business operations.
Multi-Factor Authentication (Section 500.12)
MFA is required for:
- Remote access to the entity’s network
- Access to third-party applications that contain nonpublic information
- Privileged accounts
Data Encryption (Section 500.15)
Nonpublic information must be encrypted both in transit over external networks and at rest. If encryption at rest is not feasible, compensating controls must be approved by the CISO.
Incident Response Plan (Section 500.16)
A written incident response plan must address:
- Internal processes for responding to cybersecurity events
- Goals of the incident response plan
- Definition of clear roles, responsibilities, and levels of decision-making authority
- Communication plans (internal and external)
- Remediation and reporting requirements
Notification Requirements (Section 500.17)
Covered entities must notify DFS within 72 hours of determining that a cybersecurity event has occurred that:
- Requires notification to any government body, self-regulatory agency, or supervisory body
- Has a reasonable likelihood of materially harming normal operations
The 2023 Amendments — What Changed
In November 2023, NY DFS finalized significant amendments that raised the bar:
Governance Enhancements
- The board of directors (or equivalent) must oversee cybersecurity risk management
- The CISO must report to the board at least annually on the cybersecurity program
- The board must have sufficient expertise or use advisors to exercise effective oversight
New Asset Inventory Requirement
- Covered entities must maintain a complete, accurate, and documented asset inventory, including hardware, software, and data
Enhanced Access Controls
- Implementation of privileged access management (PAM)
- Automatic revocation of access upon personnel departure
- Disable or securely configure all protocols that permit remote control of devices
Business Continuity and Disaster Recovery (BCDR)
- Explicit requirement for BCDR plans that address cybersecurity events
- Plans must be tested at least annually
- Must include recovery time objectives and backup procedures
Expanded Notification
- Notification now required for ransomware events within 72 hours
- Must notify DFS within 24 hours of making an extortion payment
- Annual reporting on extortion payments
Compliance Tiers
The 2023 amendments introduced a tiered compliance structure:
| Tier | Criteria | Additional Requirements |
|---|---|---|
| Class A | ≥ 2,000 employees OR > $1B gross annual revenue (entity + affiliates) | Independent audit, CISO with adequate authority, automated access reviews |
| Standard | All other covered entities | Full 23 NYCRR 500 requirements |
| Limited Exempt | < 20 employees, < $7.5M revenue, < $15M total assets | Reduced requirements (still must have cybersecurity policy, incident response, and access controls) |
Mapping to Industry Frameworks
| 23 NYCRR 500 Section | NIST CSF Function | ISO 27001 Control |
|---|---|---|
| 500.2 Cybersecurity Program | All Functions | A.5 Information Security Policies |
| 500.5 Pen Testing | Detect (DE.CM) | A.8.8 Technical Vulnerability Management |
| 500.7 Access Privileges | Protect (PR.AC) | A.8.2 Privileged Access Rights |
| 500.9 Risk Assessment | Identify (ID.RA) | A.8.2 Information Security Risk Assessment |
| 500.12 MFA | Protect (PR.AC) | A.8.5 Secure Authentication |
| 500.15 Encryption | Protect (PR.DS) | A.8.24 Use of Cryptography |
| 500.16 Incident Response | Respond (RS.RP) | A.5.24 Incident Management Planning |
Getting Started with Compliance
- Conduct a gap assessment — Map your current controls against all 23 NYCRR 500 sections, including the 2023 amendments
- Classify your tier — Determine if you’re Class A, Standard, or Limited Exempt
- Update your risk assessment — Ensure it reflects current threats, including AI-related risks and supply chain vulnerabilities
- Review third-party contracts — Verify that vendor agreements include cybersecurity requirements aligned with Section 500.11
- Test your incident response plan — Conduct tabletop exercises that include the 72-hour DFS notification requirement
- Report to the board — Establish a cadence for CISO-to-board reporting on cybersecurity posture
23 NYCRR 500 is not a one-time compliance exercise. It requires continuous monitoring, periodic reassessment, and ongoing adaptation to evolving threats. Treat it as a living program, not a checklist.
This analysis is based on the publicly available 23 NYCRR 500 regulation and the November 2023 amendments published by the New York Department of Financial Services.