Here’s What You Need to Know About
23 NYCRR Part 500 (NYDFS 500)

What is NYDFS 500?

NYDFS 500 refers to part 500 of chapter 23, a regulation created by the New York Department of Financial Services (NYDFS). This segment in the regulation aims to establish cybersecurity requirements for companies in the financial service industry.

NYDFS 500 can also be referred to as 23 New York Codes, Rules, and Regulations (NYCRR) 500 or New York State Department of Financial Security (NYSDFS) 500. NYDFS 500 specifically focuses on the protection of all nonpublic information, which refers to social security numbers, medical records, banking account numbers, etc.

Who's affected?

If you are a financial service, banking, or insurance company licensed in the State of New York, NYDFS 500 applies to you. Even if you aren’t physically operating out of NY, if you do business that requires NY licensures, this applies to you.

Why is this important?

Financial penalties for noncompliance can be steep and cyberattacks may threaten consumer data and overall trust in your services. On the flip side, if you follow the guidelines for a robust cybersecurity plan, you will become more appealing to prospective clients and protect the valuable personal information of your existing clients.


What are the requirements?

The requirements of NYDFS 500 are numerous and complex. You can find more information about the specific rules in the section below titled How to Comply.


When do you need to be compliant?

This regulation has been in effect since 2017. It states that if you are a company “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law,” you are required to comply annually and submit a report of compliance each year by April 15th.


But don’t panic. Get your business ready for compliance with BLPC.

Anniversary Logo

Contact Us Today
To Schedule Your
Discovery Call



This regulation aims to reduce the possibility of cyber-attacks, so the steps are numerous and involved. To summarize them, NYDFS 500 states that a compliant company must:

  • Build a “cybersecurity program” and assign a “qualified” individual to be a Chief Information Security Officer (CISO)
  • Create and follow a cybersecurity policy based on an annual company risk assessment. Specific areas the policy must cover are:
    - information security
    - data governance and classification
    - asset inventory and device management
    - access controls and identity management
    - business continuity and disaster recovery planning and resources
    - systems operations and availability concerns
    - systems and network security
    - systems and network monitoring
    - systems and application development and quality assurance
    - physical security and environmental controls
    - customer data privacy
    - vendor and third-party service provider management
    - risk assessment
    - incident response
  • Create a cybersecurity governance program that involves routine reporting and notifications to executives and a yearly report to the Board of Directors regarding the cybersecurity program and material cybersecurity risks
  • Conduct penetration testing every year and vulnerability assessments bi-annually
  • Implement multi-factor authentication (MFA)
  • Encrypt data both in transit and at rest
  • Provide regular training on security awareness to all personnel and monitor the activity of both authorized and unauthorized users
  • Notify the NYDFS superintendent of any security events within 72 hours of their occurrence
  • Using the DFS Cybersecurity Portal, submit a Certification of Compliance report annually. Reports for the calendar year 2022 are due on April 15th, 2023

The requirement for annual compliance reports should be met by April 15th of every year. There is a proposed amendment that, if approved, will not be adopted until the beginning of 2023. After that time, specific requirements will take effect anywhere from 30-180 days after the amendment is adopted.