What is NYDFS 23 NYCRR 500?
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, formally known as 23 NYCRR Part 500, is a mandatory cybersecurity framework for financial services companies regulated by the NYDFS. Effective March 2017 and significantly amended in November 2023, it was the first state-level cybersecurity regulation in the US and has influenced cybersecurity regulation across the financial sector globally.
The regulation applies to banks, insurance companies, money transmitters and other financial services entities that hold a DFS licence. Its reach extends beyond New York — any entity doing business in New York that requires a DFS licence must comply, making it effectively a national standard for US financial services cybersecurity.
| Standard Body | New York Department of Financial Services (NYDFS) |
| Current Version | Amendment 2 (November 2023) |
| Mandatory or Voluntary | Mandatory for DFS-licensed entities |
| Geography | New York State — applies to any entity with a DFS licence |
| Official Resource | dfs.ny.gov |
Key Requirements
| Section | Requirement | Key obligations |
|---|---|---|
| 500.02 | Cybersecurity programme | Establish and maintain a cybersecurity programme based on a risk assessment |
| 500.03 | Cybersecurity policy | Board-approved cybersecurity policy covering 14 specified domains |
| 500.04 | CISO | Designate a qualified CISO responsible for cybersecurity programme — annual report to board required |
| 500.05 | Penetration testing | Annual penetration testing and bi-annual vulnerability assessments |
| 500.06 | Audit trail | Maintain audit trails for cybersecurity events — minimum 3-year retention |
| 500.07 | Access privileges | Limit access privileges — privileged accounts reviewed at least annually |
| 500.08 | Application security | Secure development practices and testing for in-house and third-party applications |
| 500.09 | Risk assessment | Periodic risk assessments — basis for cybersecurity programme design |
| 500.10 | Cybersecurity personnel | Qualified cybersecurity personnel — annual security awareness training for all staff |
| 500.11 | Third-party service providers | Policies for third-party provider security — including minimum cybersecurity standards in contracts |
| 500.12 | Multi-factor authentication | MFA required for all external access and privileged accounts — expanded in 2023 amendment |
| 500.13 | Data retention limits | Dispose of non-public information no longer needed for business operations |
| 500.14 | Training and monitoring | Annual cybersecurity awareness training — monitor authorised user activity |
| 500.15 | Encryption | Encrypt non-public information in transit and at rest using approved methods |
| 500.16 | Incident response plan | Written incident response plan — tested annually |
| 500.17 | Notices to superintendent | Notify DFS within 72 hours of a cybersecurity event — annual certification of compliance |
Securitora Assessment
NYDFS 23 NYCRR 500 is the most prescriptive US state cybersecurity regulation and has set the standard for financial services cybersecurity regulation nationwide. The 2023 amendment significantly strengthened requirements — particularly around MFA, privileged access management and board accountability. Any financial services entity holding a DFS licence must comply, and the DFS has demonstrated willingness to enforce with significant penalties. Organisations already compliant with NIST CSF or ISO 27001 will find significant overlap but will still need to address NYDFS-specific requirements around CISO designation and mandatory notifications.
| Recommended for | Banks, insurers, money transmitters and all DFS-licensed financial services entities |
| Difficulty to implement | Medium to High — prescriptive requirements with mandatory board involvement and annual certification |
| Best used with | NIST CSF 2.0 · ISO 27001 · SOC 2 |
| Official resource | dfs.ny.gov → |