NYDFS Cybersecurity Regulation 23 NYCRR 500: A Complete Reference

The New York Department of Financial Services Cybersecurity Regulation, codified at 23 NYCRR Part 500, establishes binding cybersecurity requirements for financial services companies operating under NYDFS licensure or registration. First effective March 1, 2017, and substantially amended in November 2023, the regulation sets prescriptive controls across risk assessment, access management, incident response, and governance. This reference covers the regulation's scope, structural requirements, classification thresholds, enforcement mechanics, and the tensions that have emerged in its application across covered entities of varying sizes.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps
• Reference Table or Matrix

Definition and Scope

23 NYCRR Part 500 applies to any person operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York Banking Law, Insurance Law, or Financial Services Law (NYDFS, 23 NYCRR 500.01). This population — collectively called Covered Entities — includes state-chartered banks, mortgage servicers, money transmitters, insurance companies, health insurers, and licensed financial intermediaries operating in New York State.

The regulation's definitions are precise. Nonpublic Information (NPI) under 23 NYCRR 500.01(g) covers business-related information whose unauthorized disclosure would cause material adverse impact, as well as personal financial and health data. Information Systems under 500.01(e) include all systems — hardware, software, networks, data storage, and related infrastructure — used to access, transmit, or store NPI.

Scope boundary: 23 NYCRR 500 is a NYDFS regulation with jurisdiction limited to entities licensed or regulated by the New York Department of Financial Services. It does not apply to New York State government agencies (governed by state IT security policies from the New York State Office of Information Technology Services), healthcare providers regulated solely under HIPAA, or general businesses without NYDFS licensure. Federal financial institutions regulated exclusively by the OCC, FDIC, or Federal Reserve fall outside NYDFS's primary jurisdiction, though they may interact with 500 through third-party and affiliate obligations. Adjacent regulatory frameworks — including the New York SHIELD Act and the New York data breach notification requirements — apply to broader classes of entities and are not covered here.

The regulatory context for how 23 NYCRR 500 fits within New York's broader cybersecurity governance framework is detailed at Regulatory Context for New York Cybersecurity.

Core Mechanics or Structure

The regulation is organized around a cybersecurity program requirement, not a checklist. Section 500.02 mandates that each Covered Entity maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its Information Systems and NPI. The program must be based on a formal risk assessment conducted under 500.09.

Key structural components under the 2023 amended regulation:

Risk Assessment (§500.09): Must be updated continuously or at least annually. The assessment informs the calibration of all other controls.

Cybersecurity Policy (§500.03): A written policy approved by Senior Officers or the Board, covering 14 enumerated areas including data governance, asset inventory, access controls, third-party service provider management, and incident response.

Chief Information Security Officer (§500.04): A qualified CISO — internal or through a third-party affiliate — must oversee the cybersecurity program and report at least annually to the Board or Senior Officers on program status, risks, and resource adequacy.

Access Controls (§500.07): Privileged access must be limited and managed. The 2023 amendments added explicit requirements for multi-factor authentication (MFA) for all remote access and for any access to privileged accounts, extending prior MFA requirements that applied more narrowly.

Asset Management (§500.13): Covered Entities must maintain a current, comprehensive inventory of all Information Systems assets and their ownership.

Vulnerability Management (§500.05): Includes both vulnerability assessment (continuous monitoring or periodic penetration testing) and a documented remediation schedule, with critical vulnerabilities addressed within defined timeframes.

Incident Response Plan (§500.16): A written, tested plan addressing detection, response, mitigation, and recovery, including internal and external communication protocols.

Third-Party Service Provider Security (§500.11): Written policies governing vendor due diligence, contractual minimum security requirements, and periodic reassessment of third parties with access to NPI. The New York third-party vendor cybersecurity landscape reflects the downstream complexity this requirement creates.

Notification to NYDFS (§500.17): Covered Entities must notify NYDFS within 72 hours of determining that a cybersecurity event has occurred that has a reasonable likelihood of materially harming any material part of normal operations, or that meets the definition of a reportable event under state or federal law. The 2023 amendments expanded notification triggers.

Annual Certification (§500.17(b)): Each Covered Entity must submit an annual compliance certification to NYDFS confirming the entity's cybersecurity program materially complies with 23 NYCRR 500. The certification is signed by the highest-ranking executive or the Board and carries legal weight.

Causal Relationships or Drivers

23 NYCRR 500 was promulgated in direct response to documented failures in financial sector cybersecurity. The NYDFS cited the 2014 JPMorgan Chase breach — which exposed data on approximately 76 million households — and pattern failures across licensed insurance and banking entities in its 2016 proposed rulemaking notice. The regulation represents a regulatory response to the inadequacy of voluntary frameworks and incident-driven remediation.

The 2023 amendments were driven by the NYDFS's examination findings from 2017 to 2022, which identified persistent gaps in three areas: governance accountability (boards not sufficiently engaged), third-party risk (contractual controls absent or unenforced), and privileged access management (weak MFA adoption). Each amendment maps directly to an identified systemic failure pattern.

For broader threat context, the New York cybersecurity threat landscape and New York financial sector cybersecurity pages document the incident patterns that continue to drive regulatory attention.

The regulation also reflects the influence of the NIST Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology (NIST CSF). The Identify–Protect–Detect–Respond–Recover structure of NIST CSF is visible in 23 NYCRR 500's requirement architecture, though the NYDFS regulation is prescriptive where the CSF is voluntary and outcome-based.

Classification Boundaries

23 NYCRR 500 establishes three distinct compliance tiers based on entity size and risk profile:

Class A Companies (§500.01(b)): Defined in the 2023 amendments as Covered Entities with either (a) over $20 million in gross annual revenue in each of the last two fiscal years from all New York business operations, plus more than 2,000 employees globally (including affiliates), or more than $1 billion in gross annual revenue globally. Class A Companies face the most stringent obligations, including independent audit requirements, annual penetration testing, and enhanced vulnerability scanning.

Standard Covered Entities: All entities that meet the basic applicability threshold but do not qualify as Class A. Subject to the full suite of 500 requirements.

Limited Exemptions (§500.19): Entities meeting one or more of the following thresholds may apply for a limited exemption from specified requirements:
- Fewer than 10 employees (including independent contractors) in New York
- Less than $5 million in gross annual revenue averaged over the last 3 fiscal years from all business operations
- Less than $10 million in year-end total assets

Exempt entities must still file a notice of exemption with NYDFS and must comply with a reduced subset of requirements. Exemption does not equal exclusion — core incident reporting obligations still apply.

Captive Insurance Companies have historically operated under modified guidance from NYDFS, and smaller mortgage brokers with limited NPI exposure may also qualify for limited-exemption status.

The New York cybersecurity risk assessment framework underpins how entities calibrate their compliance obligations within these tiers.

Tradeoffs and Tensions

Prescriptiveness vs. Risk-Based Flexibility: The regulation's specificity — 72-hour notification windows, enumerated policy domains, mandatory MFA — reduces compliance ambiguity but creates rigidity for entities whose risk profiles do not align with the regulation's implicit model. A rural mortgage broker and a global insurance carrier face structurally different threat landscapes but operate under the same framework.

Small Entity Burden: The limited-exemption thresholds ($5 million revenue, 10 employees) were set in 2017 and have not been inflation-adjusted. Entities that marginally exceed these thresholds bear full compliance costs that may represent a disproportionate operational burden, a tension acknowledged in public comments during the 2022 amendment process.

Third-Party Accountability Gap: Section 500.11 requires Covered Entities to impose minimum cybersecurity standards on third-party service providers by contract — but enforcement of those standards depends on the Covered Entity's audit rights and the vendor's cooperation. NYDFS has no direct enforcement jurisdiction over most third-party vendors who are not themselves NYDFS-licensed. The New York cybersecurity service providers sector operates within this gap.

72-Hour Notification Window: The notification obligation attaches when a Covered Entity determines that a reportable event has occurred. The determination threshold creates interpretive ambiguity — investigations routinely take longer than 72 hours to reach certainty, creating pressure between legal notification obligations and operational accuracy.

Board Expertise Requirement: The 2023 amendment requiring boards to maintain sufficient cybersecurity expertise or receive regular expert briefings has no defined competency standard. This creates uncertainty about what constitutes compliance, particularly for smaller mutual insurance companies or community banks with limited governance resources.

The New York cybersecurity laws and compliance reference documents how these tensions intersect with other applicable regulatory regimes.

Common Misconceptions

Misconception 1: "The limited exemption means no obligations apply."
Incorrect. Entities qualifying for a limited exemption under §500.19 must still (a) file a formal Notice of Exemption with NYDFS, (b) maintain basic cybersecurity controls appropriate to their risk profile, and (c) comply with incident notification requirements. The exemption relieves specific procedural obligations, not the fundamental program requirement.

Misconception 2: "23 NYCRR 500 is satisfied by achieving SOC 2 certification."
Incorrect. SOC 2 is an auditing standard produced by the American Institute of Certified Public Accountants (AICPA) covering service organization controls. It addresses different domains, uses different criteria, and does not produce NYDFS compliance. NYDFS examiners assess 23 NYCRR 500 compliance independently of any third-party audit certification.

Misconception 3: "Federal bank regulators' cybersecurity requirements substitute for 23 NYCRR 500."
Incorrect. Dual-regulated entities — such as state-chartered banks that are Federal Reserve members — must satisfy both federal prudential cybersecurity guidance (e.g., the FFIEC Cybersecurity Assessment Tool, guidance from the Federal Financial Institutions Examination Council (FFIEC)) and 23 NYCRR 500. Federal guidance does not preempt New York's regulation.

Misconception 4: "The annual certification is an IT department function."
Incorrect. The certification under §500.17(b) must be signed by the Covered Entity's highest-ranking executive or the Board of Directors. NYDFS has indicated in enforcement actions that governance accountability — not just technical compliance — is the focus. The New York cybersecurity incident response framework is directly implicated in the certification's accuracy.

Misconception 5: "Only New York-headquartered entities are covered."
Incorrect. Any entity that holds a NYDFS license, charter, or registration is a Covered Entity, regardless of its state of incorporation or principal primary location. An insurance company domiciled in Connecticut but licensed to write business in New York under New York Insurance Law is subject to 23 NYCRR 500 with respect to its New York-licensed operations.

Checklist or Steps

The following sequence reflects the compliance program lifecycle as structured by 23 NYCRR 500. This is a regulatory reference sequence, not professional advice.

Phase 1: Initial Assessment and Scoping
- [ ] Confirm NYDFS licensure or registration status triggering applicability
- [ ] Determine Class A Company status using §500.01(b) thresholds ($20M revenue + 2,000 employees, or $1B global revenue)
- [ ] Assess limited-exemption eligibility under §500.19 (fewer than 10 employees, less than $5M revenue, or less than $10M total assets)
- [ ] File Notice of Exemption with NYDFS portal if applicable

Phase 2: Program Foundation
- [ ] Conduct or update formal Risk Assessment per §500.09
- [ ] Designate or appoint qualified CISO per §500.04
- [ ] Draft or update written Cybersecurity Policy covering all 14 domains in §500.03
- [ ] Obtain Board or Senior Officer approval of Cybersecurity Policy

Phase 3: Technical Controls Implementation
- [ ] Implement MFA for all remote access and privileged accounts per §500.07
- [ ] Establish asset inventory for all Information Systems per §500.13
- [ ] Deploy vulnerability scanning and penetration testing schedule per §500.05
- [ ] Implement audit trail and logging capabilities per §500.06

Phase 4: Third-Party and Workforce Controls
- [ ] Conduct third-party vendor due diligence per §500.11
- [ ] Execute written third-party cybersecurity agreements
- [ ] Implement annual cybersecurity awareness training program per §500.14(b)

Phase 5: Incident Response Readiness
- [ ] Draft and test written Incident Response Plan per §500.16
- [ ] Establish internal escalation and 72-hour notification determination process per §500.17(a)
- [ ] Confirm reporting channel to NYDFS Cybersecurity Portal is operational

Phase 6: Annual Compliance Cycle
- [ ] CISO prepares annual report to Board on program status and material risks
- [ ] Update Risk Assessment
- [ ] Conduct or confirm annual penetration test (Class A Companies: mandatory; others: risk-based)
- [ ] File Annual Certification of Compliance with NYDFS by April 15 of each year per §500.17(b)

The broader New York cybersecurity certifications and licensing landscape intersects with workforce qualification elements of this cycle. The index for this reference network maps the full scope of New York cybersecurity regulatory topics.

Reference Table or Matrix

23 NYCRR 500: Key Requirements by Entity Classification