Get Help Now



Amendment to New York Department of Financial Services:

Cybersecurity Regulation 23 NYCRR 500

Posted  June 22, 2023  | by Stan Letarte, Senior Security Strategist, GreyCastle Security
Check out our Webinar, Cybersecurity Regulations Impact Financial Orgs (NYDFS Regulation 23 NYCRR 500)

The New York State Department of Financial Services (DFS) has proposed an amendment that will significantly update the 23 NYCRR 500 regulation, cybersecurity requirements for financial services companies, commonly referred to as Part 500. 

Failure to comply may result in civil penalties in the millions of dollars; you can read more about these actions at the Department of Financial Services Enforcement Actions website. 

The goal of the amendment is to ensure financial organizations are adequately protecting sensitive consumer information. Covered entities (CEs) must comply with new requirements in phases, starting on the effective date of the second amendment (See, with exceptions for certain provisions. Some are suggesting that the law is likely to be ratified in 2023. 

Five Steps to Align With New DFS 23 NYCRR 500 Amendment 

It is important to organize and understand the necessary changes and the impacts they will have to effectively plan, budget, and become compliant. Many of these changes have organization-wide impacts and require awareness and support from many business units. 

        1. Understand the changes 
        2. Identify gaps in current program 
        3. Build a corrective action plan 
        4. Align stakeholders 
        5. Remediate gaps 

DFS 23 NYCRR 500 Amendment Checklist


      • Validate what “class” your organization is now defined as 
      • Validate if you are a “covered entity” 
      •  Understand material changes to clarified definitions for Independent Audit, Privileged Account, Risk Assessment, and Senior Governing Body 


      • Nonpublic Information (NPI) now includes the data itself, not only the information systems. 
      • Class A companies must have an independent audit, at least annually 


      • Policy must be approved at least annually by the senior governing body (i.e., the Board) 
      • Policy must now be implemented with supporting procedures 
      • New Policies must be implemented for Data Retention, Remote Access Control, End-of-life Device Management, Security Awareness Training, and Vulnerability Management 

500.04 CYBERSECURITY GOVERNANCE (formerly Chief Information Security Officer) 

      • CISO/Qualified Individuals must have adequate independence and authority and must report to the board. 
      • Establish a senior governing body that must (1) exercise oversight of risk management, (2) require executive management to develop & maintain cybersecurity program, (3) have sufficient expertise and knowledge to oversee cybersecurity risk management effectively 

500.05 VULNERABILITY MANAGEMENT (formerly “Penetration Testing and Vulnerability Management) 

      • Requires a qualified independent party (internal or external) 
      • Provide timely remediation for flaws 
      • Document and report material issues to the senior governing body and senior management 

500.07 ACCESS PRIVILEGES AND MANAGEMENT (formerly “Access Privileges”) 

      • Access privileges must be limited to those necessary to perform the user’s job 
      • Limit the number of privileged accounts 
      • Separate accounts for privileged access 
      • Perform, at least annually, access reviews and account reviews 
      • Disable or securely configure all protocols that allow remote control of devices 
      • Promptly terminate access following departures 
      • Maintain a password policy that implements industry-standard mechanisms 
      • Class A companies must implement (1) privileged access management solutions and (2) an automatic method of blocking commonly used passwords. 


      • At least annually, review application security procedures, standards, and guidelines 


      • Review and update at least annually and whenever a change in the business or technology causes a material change to cyber risk 
      • Class A companies must use external experts to conduct the risk assessment 


      • Removed the limited exemption for third parties that are covered entities 


      • Allows for a “risk-based authentication” 
      • Allows for CISO approval of equivalent or more secure compensating controls 
      • Specifies three areas of implementation: (1) remote access to the CE’s systems, (2) remote access to third-party applications from which CE NPI is accessible, (3) all privileged accounts 
      • For more information, consult the NYS DFS December 7, 2021, Industry letter about MFA 

500.13 ASSET MANAGEMENT AND DATA RETENTION REQUIREMENTS (formerly “Limits on Data Retention”) 

      • Asset Inventory must include owner, location, classification/sensitivity, support expiration date, and recovery time for each asset

 500.14 – MONITORING AND TRAINING (formerly “Training & Monitoring”) 

      • Malicious code protection / email and web filtering are mandatory 
      • Minimum annual awareness training, including social engineering 
      • Class A companies must implement endpoint protection and centralized logging and alerting 

500.15 PROTECTION OF NONPUBLIC INFORMATION (formerly “Encryption”) 

      • Must have a written policy requiring encryption that meets industry standards 
      • Must have written approval from the CISO 


      • Requires proactive measures to ensure resilience as part of the plan 
      • Requires a business continuity, disaster recovery plan, and supporting processes, including training and testing. 


      • Specific cybersecurity event notification requirements, including updated timelines 
      • Certification notification to the superintendent requires an annual written statement demonstrating areas of compliance and non-compliance 
      • Extortion payment (ransomware) notification within 24 hours and a full report within 30 days 


      • The second amendment shall become effective on publication of the Notice of Adoption in the State Register. 
      • After that date, Covered Entities are expected to have: 
      • Immediate compliance with the new requirements specified in sections 500.19(e)-(h), 500.20, 500.21, 500.22 and 500.24 
      • 30 days to comply with section 500.17 
      • 12 months to comply with the new requirements specified in sections 500.16(e) and 500.19(a) 
      • 18 months to comply with the new requirements specified in sections 500.5(a)(2), 500.7(b), 500.12(b), 500.14(a)(2), and 500.14(b) 
      • 24 months to comply with the new requirements specified in section 500.13(a) 

Ultimately, these changes will provide significant improvements to the safety of consumers and their sensitive information. Organizations will need to understand, with clarity, the changes and how they impact business operations and budgets. The best way to prepare is to start now and build an actionable plan with the support of senior stakeholders.


Let’s Discuss Your Cybersecurity Needs

Contact Us
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us