NYDFS Cybersecurity Regulation, 23 NYCRR Part 500

500.2 (Cybersecurity Program)

Each Covered Entity must maintain a cybersecurity program based on its risk assessment that performs five core functions: identify, protect, detect, respond, and recover.

500.3 (Cybersecurity Policy)

A written cybersecurity policy approved at least annually by a senior officer or the board of directors, covering 14 enumerated areas including information security, data governance, access controls, business continuity, vendor management, and incident response.

500.4 (CISO)

Designate a qualified Chief Information Security Officer responsible for overseeing the cybersecurity program. The 2023 amendment requires the CISO to report material cybersecurity issues to the senior governing body and to report in writing at least annually on the program and material risks.

500.5 (Vulnerability Management)

Annual penetration testing by a qualified internal or external party and continuous monitoring or, where not used, automated vulnerability scans at a frequency determined by risk assessment plus prompt remediation. The 2023 amendment added an explicit documented vulnerability management program and automated scans.

500.6 (Audit Trail)

Maintain systems that securely reconstruct material financial transactions and include audit trails designed to detect and respond to cybersecurity events likely to materially harm normal operations. Records must be retained for at least 3 to 5 years depending on type.

500.7 (Access Privileges)

Limit user access privileges to nonpublic information and periodically review them. The 2023 amendment requires privileged access management, annual review of all access privileges, timely removal of access after a role change, and a prohibition on password sharing.

500.8 (Application Security)

Written procedures, guidelines, and standards for secure development of in-house applications and for evaluating, assessing, or testing the security of externally developed applications. Reviewed annually by the CISO.

500.9 (Risk Assessment)

Annual written risk assessment that informs the design of the cybersecurity program. The 2023 amendment requires reviews when the business or technology environment materially changes and impact assessments on confidentiality, integrity, security, and availability of information systems.

500.10 (Cybersecurity Personnel and Intelligence)

Use qualified cybersecurity personnel (internal staff, an affiliate, or a third-party service provider) sufficient to manage cybersecurity risks. Provide updates and training to keep personnel current on threats and countermeasures.

500.11 (Third Party Service Provider Security Policy)

Written policy governing third-party service providers based on a risk assessment, including due diligence, minimum cybersecurity practices required of third parties, periodic assessment, and contractual protections (MFA on the third-party side, encryption, notice of security events, representations and warranties).

500.12 (Multi-Factor Authentication)

MFA required for any individual accessing the entity's internal networks from an external network. The 2023 amendment expanded MFA to remote access to information systems, remote access to third-party applications from which nonpublic information is accessible, and all privileged accounts (with an exception only where the CISO has approved in writing a reasonably equivalent or more secure compensating control, reviewed annually).

500.13 (Asset Management and Data Retention)

Policies and procedures for secure disposal of nonpublic information no longer necessary. The 2023 amendment added a written asset inventory requirement covering all information systems with owners, locations, classifications, support expiration, and recovery time objectives.

500.14 (Monitoring and Training)

Risk-based controls to monitor authorized users and detect unauthorized access to or use of nonpublic information. The 2023 amendment added explicit requirements for endpoint detection and response, centralized logging and security event alerting (mandatory for Class A Companies), and annual cybersecurity awareness training that includes social engineering.

500.15 (Encryption of Nonpublic Information)

Encryption of nonpublic information both in transit over external networks and at rest. Compensating controls reviewed and approved annually by the CISO are permitted only where encryption is infeasible. The 2023 amendment narrowed the compensating-control exception.

500.16 (Incident Response and Business Continuity Management)

Written incident response plan addressing goals, internal processes for response, roles and responsibilities, external and internal communications, remediation, documentation, and post-incident evaluation. The 2023 amendment added a written business continuity and disaster recovery plan with annual testing, including ransomware-payment decision criteria for Class A Companies.

500.17(a) (Notice of Cybersecurity Event)

Notify the Superintendent as promptly as possible but no later than 72 hours after determining a Cybersecurity Event has occurred when (1) notice to any government body, self-regulatory agency, or supervisory body is required, (2) the event has a reasonable likelihood of materially harming any material part of normal operations, or (3) ransomware was deployed within a material part of the entity's information systems.

500.17(b) (Annual Certification or Acknowledgment)

By April 15 each year, each Covered Entity must submit one of two filings: a Certification of Material Compliance (signed by the highest-ranking executive AND the CISO) or a Written Acknowledgment of noncompliance with a remediation plan. The 2023 amendment replaced the prior single certification model with this two-track structure.

500.17(c) (Notice of Extortion Payment)

Added in the 2023 amendment: notify the Superintendent within 24 hours of any extortion payment made in connection with a Cybersecurity Event and within 30 days submit a written description of the reasons the payment was necessary, alternatives considered, sanctions diligence, and AML controls applied.

500.19 (Exemptions)

Limited exemptions for small Covered Entities with fewer than 20 employees, less than $7.5M in NY-related revenue, and less than $15M in total assets (revised thresholds under the 2023 amendment). Captive insurance companies, employees of Covered Entities, and certain reinsurers also have partial exemptions. Exempt entities must still file a Notice of Exemption.

500.20 (Enforcement)

Enforced by the Superintendent of Financial Services under NY Banking Law, Insurance Law, and Financial Services Law. The Superintendent may impose civil penalties under the applicable statute. The 2023 amendment confirms a single violation includes acts of commission or omission and that each instance of nonpublic information impacted may be a separate violation in enforcement actions.

500.21 (Effective Date and Transitional Periods)

Original regulation effective March 1, 2017 with staggered transitional deadlines through March 1, 2019. The Second Amendment took effect November 1, 2023 with phased compliance dates: April 29, 2024 (most provisions), November 1, 2024 (500.7, 500.14(a)(2)-(3), 500.15), May 1, 2025 (500.5, 500.9, 500.14(b)), and November 1, 2025 (500.13, 500.14(a)(1)).