NYDFS Cybersecurity Compliance (23 NYCRR 500): A Practitioner's Guide

Q: What is the annual certification of compliance under Part 500?

Each year a Covered Entity must submit a written statement to the Department covering the prior calendar year. Under the amended rule the entity either certifies material compliance with the regulation or submits an acknowledgment of noncompliance that identifies the gaps and a remediation timeline. The submission must be signed by the highest-ranking executive and the CISO, and the entity must keep the records and schedules that support it. A false certification carries real exposure, so evidence has to stand behind the submission before it goes out.

The short version

23 NYCRR Part 500 is the New York Department of Financial Services cybersecurity rule. If you hold a New York banking, insurance, or financial-services license, you are a Covered Entity and you owe a written, risk-based cybersecurity program and policy, a qualified CISO, a periodic risk assessment, multi-factor authentication, encryption of nonpublic information, penetration testing and vulnerability scanning, a tested incident response plan, due diligence over third-party service providers, a 72-hour notice to the Department when a cybersecurity event occurs, and an annual filing that the highest-ranking executive and the CISO both sign. There is no blanket small-company carve-out. The limited exemptions reduce the list, they never erase it.

The first time most compliance officers read Part 500 they go looking for the part that does not apply to them. The license is the trigger. Once you hold a New York authorization, the live question becomes which version of the obligations you carry. People who treat this as an IT project file it under the wrong department and miss the parts that land on the board and the certifying executive.

This guide walks the regulation the way a practitioner has to live it: who is covered, where the limited exemptions sit, the program and the policy, the CISO, the risk assessment, the technical controls the rule names by hand, the incident response plan, the 72-hour notice, third-party security, and the annual certification. The structure underneath is the same identify-protect-detect-respond-recover spine that runs through modern cybersecurity practice, and Part 500 maps onto it cleanly once you see the shape.

Who is a Covered Entity

A Covered Entity is any person or business operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. The reach is broad on purpose. It pulls in state-chartered banks, branches of foreign banks licensed in New York, insurers and producers, mortgage bankers and brokers, money transmitters, check cashers, and licensed virtual-currency businesses, among others.

The obligation tracks the New York authorization, not where the company sits. A firm headquartered elsewhere that holds a New York license is a Covered Entity for that licensed activity. A firm with several licenses carries the obligation across all of them. The practical first step is an authorization inventory: list every New York license the company holds, because each one is a thread the Department can pull.

The limited exemptions, and what they do not remove

There is no exemption for being small in the everyday sense. What the rule provides is a set of limited exemptions, and the most common one turns on size. A Covered Entity can claim it when it falls under the thresholds the rule sets for employee count, gross annual revenue from New York operations, and year-end total assets. Other limited exemptions cover entities that do not operate their own information systems and do not control or possess nonpublic information, certain captive insurers, and certain reinsurers.

A limited exemption is a reduction, not a release. An entity that qualifies still owes the core of the regulation. To claim any of them, the entity has to file a notice of exemption with the Department. The dangerous read is to see the word "exemption" and assume the rule has gone away. It has not.

Still applies under the common limited exemption	Relief the limited exemption provides
A written cybersecurity program based on the risk assessment	Some staffing and program-depth requirements scale down for the smallest entities
A written cybersecurity policy	Certain ongoing-monitoring and testing obligations are eased
Access controls and limitations on access privileges	The full penetration-testing and continuous-monitoring program may not be required at the same depth
The periodic risk assessment	Some training and awareness obligations are reduced
Third-party service provider oversight	No relief. The obligation stands.
The 72-hour notice of a cybersecurity event	No relief. The obligation stands.
The annual filing with the Department	No relief. The obligation stands.

Read that left column twice. The notice and the annual filing never go away. The size-based exemption changes how deep the program has to go. It does not change whether the Department is watching.

The cybersecurity program and the cybersecurity policy

Two documents anchor the regulation, and they are not the same thing. The cybersecurity program is the working set of controls and processes that protect the confidentiality, integrity, and availability of the Covered Entity's information systems. It has to be built on the risk assessment and it has to perform the core security functions: identify cyber risks, use defensive infrastructure and policies to protect against them, detect cybersecurity events, respond to those events to mitigate harm, recover and restore normal operations, and fulfill the regulatory reporting obligations. That list is the identify-protect-detect-respond-recover model written into a regulation.

The cybersecurity policy is the written governance layer that sits above the program. It has to be approved by a senior officer or the board, and it has to address the areas the rule names: information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery, systems operations and availability, network security and monitoring, physical security, customer data privacy, vendor and third-party management, risk assessment, and incident response. The program is what you do. The policy is what the institution has committed to do, in writing, with senior sign-off.

The CISO

Every Covered Entity has to designate a qualified individual responsible for overseeing, implementing, and enforcing the cybersecurity program and policy. The rule calls this person the Chief Information Security Officer, and the role can be filled by an employee, an affiliate, or a third-party service provider. When the function is outsourced, the Covered Entity keeps responsibility, has to designate a senior member of its own staff to direct and oversee the third party, and has to require that the third party maintains a program meeting the regulation.

The CISO has to report in writing to the senior governing body, at least annually, on the cybersecurity program and on material cybersecurity risks. Under the amended rule the CISO also has to have adequate authority to act, including the ability to put plans in front of the board and to direct sufficient resources to manage the risks. That report carries weight beyond the filing. It is the record that the people who own the institution were told what the risks were.

The risk assessment

The risk assessment is the spine. The cybersecurity program, the policy, and the controls all have to be based on it, which means a stale or shallow assessment undermines everything built on top. It has to be conducted periodically and updated when business or technology changes materially. It has to be carried out under written policies and procedures, and it has to produce criteria for evaluating identified risks, criteria for assessing how existing controls address them, and a description of how the entity will mitigate or accept the risks that remain.

In practice this is the same likelihood-times-impact analysis that runs through any sound cybersecurity program. You catalog the assets and the nonpublic information, identify the threats and vulnerabilities, score the residual risk after existing controls, and decide for each one whether to mitigate, transfer, accept, or avoid. The discipline the regulation adds is that the decisions have to be documented and the program has to trace back to them.

The controls the rule names by hand

Most of Part 500 is risk-based, meaning the depth of a control flexes with what the risk assessment shows. A handful of controls are written closer to flat requirements, because the Department has seen them fail too often to leave them entirely to judgment.

Control	What the regulation requires
Multi-factor authentication	MFA for any individual accessing the Covered Entity's information systems. The CISO may approve a reasonably equivalent or more secure compensating control in writing, under narrow conditions. Stolen single-factor credentials are a recurring breach entry point, which is why this control is written tight.
Encryption	Encryption of nonpublic information both in transit over external networks and at rest. Where encryption is infeasible, the entity may use effective alternative controls reviewed and approved by the CISO, with that determination revisited over time.
Penetration testing	Penetration testing of information systems based on the risk assessment, conducted at the cadence the rule sets, by qualified internal or external testers.
Vulnerability assessments	Automated scans and manual review of systems designed to detect new vulnerabilities, run on a regular basis and after material changes, with timely remediation.
Access privileges	Limit and periodically review access privileges, apply the principle of least privilege, and give particular scrutiny to privileged accounts.
Audit trail	Maintain systems that can reconstruct material financial transactions and detect and respond to cybersecurity events, with records retained for the periods the rule sets.
Training and monitoring	Regular cybersecurity awareness training for all personnel, updated to reflect current risks, plus monitoring of authorized user activity.
Data retention and disposal	Policies for the secure disposal of nonpublic information that is no longer needed, except where retention is otherwise required.

Incident response and the 72-hour notice to DFS

The Covered Entity has to maintain a written incident response plan designed to respond to and recover from any cybersecurity event that materially affects the confidentiality, integrity, or availability of its information systems or the continuing functionality of its business. The amended rule adds a written business continuity and disaster recovery plan and periodic testing of the response capability. A plan that has never been exercised stays a document on a shelf, and examiners can tell when a team has actually run its own drill.

The notice obligation is the one most people remember, and it is the one most often misread. A Covered Entity must notify the Superintendent of the Department as promptly as possible and no later than 72 hours after determining that a cybersecurity event has occurred. The clock starts on the determination, not the discovery, but a Covered Entity cannot sit on a determination to delay the clock. A reportable event includes:

an event that triggers a notice obligation to any government body, self-regulatory agency, or other supervisory body;
an event that has a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity;
under the amended rule, an event where unauthorized access to a privileged account occurred; and
under the amended rule, an event where ransomware was deployed within a material part of the information systems.

The amended rule also requires notice to the Department when the entity makes an extortion or ransom payment connected to a cybersecurity event, with a follow-on written description of the reasons within a set window. The 72-hour notice is the headline, and the trail of related obligations behind it is where filings get missed.

Third-party service provider security

A breach at a vendor is still a breach of the Covered Entity's data. The regulation requires written third-party service provider policies and procedures, based on the risk assessment, that govern the security practices of the vendors that have access to the entity's information systems or nonpublic information. Those policies have to address how the entity identifies and risk-assesses its vendors, the minimum security practices a vendor must meet to do business, the due diligence used to evaluate them, and the periodic reassessment of their adequacy.

The rule points specifically at the contract terms a Covered Entity should require where applicable: the vendor's use of multi-factor authentication and encryption, notice to the Covered Entity when a cybersecurity event affects its data, and representations about the vendor's own cybersecurity. This is the supply-chain risk surface, and it is the one a Covered Entity cannot fully control, which is why the regulation forces it into writing and into contracts.

The annual certification of compliance

Each year a Covered Entity has to submit a written statement to the Department covering the prior calendar year. Under the amended rule the entity either certifies material compliance with the regulation or, where it was not in compliance, submits a written acknowledgment of noncompliance that identifies the areas, systems, or processes that did not comply and a remediation timeline. The submission has to be signed by the highest-ranking executive and the CISO, and the entity has to keep the records, schedules, and supporting data that back it for the period the rule requires.

This is where the regulation puts a name on a signature line. The certification is not a check-the-box exercise, because a filing unsupported by evidence is a liability the moment something goes wrong. The acknowledgment option that the amended rule added is the honest path for an entity with known gaps. It is far better to file an accurate acknowledgment with a remediation plan than to certify compliance you cannot prove.

The phased compliance timeline

The Second Amendment to 23 NYCRR Part 500, adopted on November 1, 2023, phased its new requirements across two years rather than switching them on at once. CISO board reporting (500.4), encryption (500.15), and incident-response and business-continuity testing (500.16) took effect on November 1, 2024. A further set took effect on May 1, 2025. The final phase took effect on November 1, 2025: expanded multi-factor authentication for any individual accessing any information system (500.12), and the asset-inventory requirement (500.13). Those were covered in the annual certification due April 15, 2026, so they are in force now, not pending.

A readiness checklist

Run this before the next annual filing, and again after any material change to the business or systems:

Every New York license the company holds is inventoried, so the Covered Entity status is settled for each line of business.
If a limited exemption is claimed, the notice of exemption is on file and the qualifying thresholds are documented.
A current risk assessment exists, conducted under written procedures, and the program traces back to it.
The cybersecurity program performs all six core functions: identify, protect, detect, respond, recover, and report.
The cybersecurity policy is written, covers the required areas, and is approved by a senior officer or the board.
A qualified CISO is designated, and the annual written report to the governing body has been delivered.
Multi-factor authentication is in place for system access, with any compensating control approved in writing by the CISO.
Nonpublic information is encrypted in transit and at rest, or covered by CISO-approved alternative controls.
Penetration testing and vulnerability assessments run on the required cadence, with remediation tracked.
The incident response plan is written, tested, and paired with a business continuity and disaster recovery plan.
Third-party policies, due diligence, and contract terms are documented for vendors that touch nonpublic information.
The 72-hour notice path is defined, with named owners, so a determination converts to a filing inside the window.
The annual certification or acknowledgment is supported by retained records and signed by the highest-ranking executive and the CISO.

Part 500 rewards the institution that can show its work. When a program is documented, tested, and traceable to a real risk assessment, an examiner sees an institution that takes its own data seriously. When the binder is full of policies no one has ever exercised, the examiner sees that too. The regulation runs long and detailed, and what it asks for in the end is straightforward. Protect what you hold, and be able to prove you did it before anyone asks.

Common questions

Who has to comply with 23 NYCRR Part 500?

Any Covered Entity, meaning any person or business operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. That sweeps in banks, insurers, mortgage companies, money transmitters, virtual-currency businesses, and many others regulated by the New York Department of Financial Services. The obligation follows the New York authorization, not the location of the headquarters.

What is the 72-hour notification requirement under the NYDFS Cybersecurity Regulation?

A Covered Entity must notify the Superintendent of the Department of Financial Services as promptly as possible and no later than 72 hours after determining that a cybersecurity event has occurred. The clock runs from the determination that a qualifying event happened, which includes events reportable to another regulator, events with a reasonable likelihood of materially harming normal operations, and, under the amended rule, events where unauthorized access to a privileged account occurred or ransomware was deployed in a material part of the systems.

Does the NYDFS Cybersecurity Regulation require multi-factor authentication?

Yes. The amended regulation requires multi-factor authentication for any individual accessing the Covered Entity's information systems, with narrow conditions under which the CISO may approve a reasonably equivalent or more secure compensating control in writing. MFA is one of the few controls written as a near-flat requirement rather than purely risk-based, which reflects how often stolen single-factor credentials are the entry point in financial-sector breaches.

What is the annual certification of compliance under Part 500?

Each year a Covered Entity submits a written statement to the Department covering the prior calendar year. Under the amended rule the entity either certifies material compliance with the regulation or submits an acknowledgment of noncompliance that identifies the gaps and a remediation timeline. The submission must be signed by the highest-ranking executive and the CISO, and the entity must keep the records and schedules that support it. A false certification carries real exposure, so evidence has to stand behind the submission before it goes out.

Are small companies exempt from the NYDFS Cybersecurity Regulation?

There is no blanket small-company exemption. There are limited exemptions, the most common being for a Covered Entity that meets size thresholds tied to employee count, gross annual revenue from New York operations, and year-end total assets. A limited exemption relieves the entity of some requirements but never all of them. The core obligations, including the risk assessment, the limited cybersecurity program, the 72-hour notice, and the annual filing, still apply, and the entity must file a notice of exemption to claim it.