NYDFS NYCRR Part 500: Our Guide to Cyber Security Compliance and Assessments

The New York State government has long recognized that digital threats will only continue to escalate and harm the people, organizations, and institutions it serves. As an integral hub of financial activity, the New York State Department of Financial Services (NYDFS) was especially alarmed, stating that, “The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.”

Born out of that concern, the NYDFS Cybersecurity Regulation, officially known as 23 NYCRR Part 500, became the first state-level act in the US to meaningfully prescribe and enforce standards for data protection and information security risk mitigation. The landmark regulation establishes mandatory requirements for NYDFS-regulated organizations to implement risk-based cyber security programs and controls to protect Non-public Information, ensure operational resilience, and reduce cyber security incidents for consumers and the financial services industry.

Compliance is not optional. Covered entities must submit an annual certification of compliance with documented evidence to the NYDFS Superintendent by April 15th each year. They must also be prepared to defend their cyber security posture during NYDFS examinations or enforcement actions.

Key dates and timelines

Original publish date:

March 1, 2017

First amendment update:

April 2020

• Changed the annual certification filing date from February 15th to April 15th

Second amendment update:

November 1, 2023

• Final requirements took effect Nov. 1, 2025, including:
• A new category of "Class A Companies" in scope
• Renewed definitions for business leaders and CISOS, cyber security policy, "senior governing bodies", and cyber security incidents
• Revised MFA requirements
• Additional technical requirements
• Updated incident response standards
• Added section 500.24 for electronic filing exemptions

Covered Entities

NYCRR Part 500 applies to any 'Covered Entity' operating under a license, registration, charter, or authorization from NYDFS, including:

• Banks, trust companies, and credit unions.
• Insurance companies, agents, and brokers.
• Mortgage lenders and servicers.
• Money transmitters and virtual currency businesses.
• Investment advisers and other regulated financial service providers.

Class A Companies

The second batch of amendments to the regulation created a new category of large institutions with at least $20 million in gross annual revenue from operations in New York and secondary measures of either a headcount of 2,000+ employees OR over $1 billion in gross annual revenue globally.  

This Class A status also comes with extra requirements, non-exhaustively including:

• Independent audits
• Privileged access management systems
• EDR solution implementation

Small businesses and other entities

Certain small or low-risk entities may qualify for limited exemptions, in the case of:

• Having fewer than 20 employees and independent contractors
• Earning less than $7,500,000 in gross annual revenue in each of the last three fiscal years
• Retaining less than $15,000,000 in year-end total assets, including assets of all affiliates,

However, even these types of exempt organizations remain subject to core provisions such as access management, risk assessment and certification obligations.

A NYCRR 500 assessment evaluates an organisation’s alignment with each applicable section of the regulation. Assessment activities include policy and procedure analysis, interviews with key stakeholders, and requests for and examination of evidence to determine control sufficiency and effectiveness.

Key assessment topics include:

Governance, oversight, & program management

• Cyber security policies and procedures, designated authority (e.g., CISO), program evaluation, and annual certification.

Risk assessment & security strategy

• Review of risk assessment methodology, identification of cyber risks, and a risk-based approach to security control implementation.

Cyber security controls & safeguards

• Review of penetration testing and vulnerability management practices, audit logging, access controls, application and software security, encryption, and data retention and disposal.

Cyber security personnel & monitoring

• Cyber security training and awareness, monitoring and detection capabilities, and threat intelligence.

Third party risk management

• Vendor due diligence and risk assessments, contractual obligations, ongoing monitoring and issue resolution.

Incident response & regulatory notification

• Incident response plan, escalation procedures, testing and maintenance of response capabilities, and evaluation of NYDFS incident notification requirements.

Build meaningful cyber resilience

A comprehensive NYCRR 500 assessment does more than demonstrate compliance with NYDFS cyber security requirements. It strengthens your cyber security program, builds credibility with regulators, and positions your organization for long-term operational resilience.

By completing a Part 500 assessment, organizations gain a clear, NYDFS-aligned view of how effectively they protect Non-public Information, govern cyber security risk, and support confident annual certification and regulatory examinations.

Avoid enforcement actions

As dozens of organizations have unfortunately learned the hard way, the NYDFS Cybersecurity Regulation is not a mere framework or policy. The mandate allows the DFS body and superintendent to issue public consent orders, demand remediation, and levy fines. These fines can start at $1000 recurring per day, per individual violation.

Since 2021, the DFS has DFS has entered into consent orders with 27 entities for violations of the cybersecurity regulation which has resulted in over $144 million in fines. The monetary consequences can balloon to serious amounts, like in the case of GEICO’s $9.75 million penalty due to inadequate measures taken across four Part 500 sections.

The most common causes for fines:

• Failure to implement MFA: A frequent driver of penalties, with fines often targeting lack of multi-factor authentication (MFA).
• Delayed/failed breach reporting: Failing to disclose cyber breaches within the required 72-hour window.
• False certification: Falsely certifying compliance with Part 500.17 can trigger severe penalties.
• Poor risk assessment: Inadequate penetration testing and vulnerability assessments.

Non-compliance can cost businesses in other ways.

The DFS has made clear that protecting consumers and the integrity of New York’s financial institutions is the foundational goal of the regulation. Failure to properly report incidents or fix inadequate policies and controls puts your organization’s reputation in jeopardy. Public trust is crucial for continued growth.