NY DFS Cybersecurity Regulation (23 NYCRR 500): Financial Services Requirements

The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500), enacted in 2017, was the first US state regulation specifically mandating cybersecurity requirements for financial services companies. The 2023 amendments significantly expanded requirements, with all provisions fully effective as of November 1, 2025.

Scope and Applicability

The regulation applies to all DFS-regulated entities including banks and trust companies, insurance companies, insurance agents and brokers, mortgage lenders and brokers, money transmitters, check cashers, and licensed lenders.

Limited exemptions exist for entities with fewer than 20 employees, less than $7.5 million in gross annual revenue from NY operations, or less than $15 million in year-end assets. Even exempt entities must comply with third-party service provider requirements.

2023 Amendments Key Changes

The November 2023 amendments introduced “Class A Companies” as a new category for larger entities with at least $20 million in gross annual revenue AND either 2,000+ employees or $1 billion+ in revenue. Class A Companies face enhanced requirements including independent audits and privileged access management.

Other major changes include mandatory ransomware incident reporting, 24-hour notification for extortion payments with 30-day written explanation, required business continuity and disaster recovery plans with annual testing, and senior governing body accountability for cybersecurity oversight.

Key Requirements

CISO Designation (Section 500.4)

Every covered entity must designate a qualified CISO to oversee the cybersecurity program. The CISO may be employed by the entity, an affiliate, or a third-party provider. The CISO must provide an annual written report to the board covering program status, material risks, and cybersecurity events.

Multi-Factor Authentication (Section 500.12)

As of November 2025, MFA is required for any individual accessing any information system. Valid MFA must include at least two factors: knowledge (password), possession (hardware token), or inherence (biometric). Device recognition, policy-based controls, or software certificates alone are insufficient. DFS recommends token-based MFA over push or SMS due to AI deepfake risks.

Encryption (Section 500.15)

Encryption is mandatory for data in transit over external networks with no compensating controls permitted. Data at rest must be encrypted unless the CISO approves compensating controls in writing with annual review.

Incident Reporting (Section 500.17)

Covered entities must notify DFS within 72 hours of determining a cybersecurity incident that requires government notification, has reasonable likelihood of material harm, or involves ransomware deployment. Extortion payments require 24-hour notification and 30-day written explanation including alternatives considered and OFAC due diligence.

Third-Party Requirements (Section 500.11)

Written policies must address identification and risk assessment of third parties, minimum security practices, due diligence processes, and periodic assessment of third-party security. October 2025 guidance clarified examiner expectations for third-party risk management.

Compliance Timeline (Completed)

All phases are now complete. Final requirements for MFA and asset inventory became effective November 1, 2025. Annual Certification of Compliance including MFA and asset inventory is due April 15, 2026.

Enforcement Actions

DFS has issued approximately $63.3 million in Part 500 penalties through September 2025 across major enforcement actions. Notable cases include Genesis Global Trading ($8 million), eight auto insurance companies ($19 million aggregate), PayPal ($2 million), and Healthplex ($2 million).

MFA deficiencies are the most common enforcement trigger. Delayed incident reporting escalates incidents into severe compliance failures. DFS focuses on evidence of execution, real controls, timely reporting, and provable outcomes.

Relationship to Other Frameworks

23 NYCRR 500 is the state counterpart to federal GLBA Safeguards Rule requirements and is consistently more prescriptive. The FTC’s 2023 Safeguards Rule update drew heavily from the NY DFS regulation structure. Organizations commonly map controls to NIST CSF while meeting DFS requirements.

Current Focus Areas

DFS has highlighted emerging threats including threat actors manipulating help desk personnel, social engineering to reset MFA tokens, caller ID spoofing, and AI deepfakes targeting biometric authentication. Organizations should strengthen identity verification protocols and conduct social engineering simulations.

The regulation is often called “Sarbanes-Oxley for cybersecurity” due to its management accountability requirements through formal attestation of cyber program effectiveness.