New York's Department of Financial Services (NYDFS) 23 NYCRR Part 500 cybersecurity regulation has been one of the most substantive state-level cybersecurity mandates in the country since its original 2017 effective date. The November 2023 amendments — the first major revision since inception — materially expanded the requirements for covered entities and introduced a new tiered compliance structure for the largest covered entities. If you are a bank, insurance company, mortgage servicer, or other financial services firm licensed in New York, these amendments have implementation deadlines that are not optional.
Who Is a Covered Entity
23 NYCRR 500 applies to entities operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York Banking Law, Insurance Law, or Financial Services Law. This includes banks, insurance companies, mortgage companies, money transmitters, and premium finance companies chartered or licensed in New York. Out-of-state entities operating under DFS licenses are covered. Small businesses and limited operations may qualify for exemptions — but the exemption thresholds were tightened in the 2023 amendments, so entities that previously qualified for exemption should re-verify their eligibility.
Key November 2023 Amendment Changes
Enhanced MFA Requirements
The 2023 amendments require MFA for all access to information systems and nonpublic information, with limited exceptions only for alternative compensating controls approved by senior management and documented. The original regulation required MFA only for remote access; the amendment expanded the requirement to all privileged access and all access to systems holding nonpublic information. This is a significant expansion that affects internal access control architectures.
CISO Reporting and Board Notification
Section 500.4 now requires the CISO to provide a written report to the board of directors (or equivalent) at least annually, covering the cybersecurity program, material cybersecurity risks, and the overall effectiveness of the program. The board must review and accept the CISO report. This creates a governance record that DFS examiners will request.
For material cybersecurity events, covered entities must now notify the DFS within 72 hours of determining that a material cybersecurity incident has occurred — and provide simultaneous notice to the board. The definition of material cybersecurity incident was clarified to include ransomware deployment, unauthorized access to nonpublic information, and events that could materially impact normal operations.
Endpoint Detection and Response
Section 500.14 now explicitly requires covered entities to implement endpoint detection and response (EDR) solutions capable of detecting, alerting, and responding to anomalous activity. This is a named technology requirement — unusual in a principles-based regulation. Covered entities running legacy AV without EDR capability must upgrade. DFS examiners have been specifically asking about EDR during examinations since Q1 2024.
Penetration Testing Requirements
Section 500.5 requires annual penetration testing from both inside and outside the information systems' boundaries, plus automated vulnerability scans at a frequency determined by the risk assessment and promptly after any material system change. For Class A companies (defined below), the penetration testing requirement is more stringent. The testing must be conducted from the perspective of a threat actor and include the external attack surface and, where applicable, internal network penetration. Test results must be remediated based on risk and retained for three years.
Backup and Recovery Testing
Section 500.16 now requires covered entities to maintain and test backup and recovery capabilities specifically designed to address ransomware scenarios. The testing must verify that backups are immutable (cannot be encrypted by ransomware), isolated from production systems, and recoverable within the organization's defined RTO/RPO. Annual testing of recovery procedures is required, and test results must be documented.
Class A Company Requirements
The 2023 amendments created a new tier — Class A Companies — defined as covered entities with at least $20 million in gross annual revenue from New York operations AND either over 2,000 employees or over $1 billion in gross annual revenue (each averaged over the last two fiscal years, including affiliates). Class A companies face additional requirements including:
- Independent audit of the cybersecurity program annually
- Monitoring of privileged access activity, including all administrator accounts
- Automated vulnerability scanning at a frequency determined by the risk assessment, with manual review of uncovered systems
- Enhanced penetration testing including adversary simulation
- Mandatory use of a password vaulting solution for privileged access
Implementation Timeline
The amendments had a phased implementation timeline. Most core requirements had a 180-day implementation period from the November 1, 2023 effective date (April 29, 2024). Some requirements had extended 18-month timelines (May 1, 2025). All implementation deadlines have passed as of this writing — covered entities not yet in compliance are operating in violation of the regulation.
DFS Enforcement and Recent Actions
DFS has demonstrated willingness to levy significant penalties. The Robinhood Crypto, LLC consent order (2022, $30 million) — DFS's first crypto-sector enforcement action — established that the Department will pursue large penalties for anti-money-laundering and cybersecurity program deficiencies. The OneMain Financial consent order (2023, $4.25 million) cited shared administrator accounts on default passwords, weak access-privilege management, and lapsed third-party vendor due diligence. In aggregate, DFS has reported $144 million across 27 cybersecurity consent orders (NYDFS, October 2025). Following the 2023 amendments, DFS has begun using examination findings to initiate enforcement referrals where covered entities fail to remediate identified deficiencies within agreed timelines.
Overlap with SEC Cybersecurity Rules
Publicly traded covered entities face overlapping requirements between NYDFS 500 and the SEC's cybersecurity disclosure rules (effective December 2023). The SEC requires Form 8-K disclosure of material cybersecurity incidents within four business days of determining materiality. The NYDFS 72-hour DFS notification requirement is more demanding in timing. Dual-registered entities should implement unified incident classification procedures that simultaneously trigger both reporting obligations.
The Fortress MSSP vCISO practice specializes in NYDFS 500 compliance program development and examination preparation. The Fortress PTaaS program satisfies Section 500.5 penetration testing requirements with full documentation for examiner review. Contact us to assess your current compliance posture.