NYDFS 23 NYCRR 500 in 2026: The Amendments That Just Changed Everything

# NYDFS 23 NYCRR 500 in 2026: the amendments that just changed everything

If you run a bank, insurer, or licensed financial firm doing business in New York, you've been living under 23 NYCRR Part 500 since 2017. That's the rule that first made a real-live CISO a regulatory requirement. With real-live fines attached.

First American Title. $1M in 2023. EyeMed. $4.5M in 2022. Robinhood. $30M in 2022 for combined AML and cyber failures. These numbers are not theoretical.

Then came the Second Amendment. Published November 2023. Phased in through November 2025. If your compliance program got last-rebaselined against the 2017 text, you are operating under a regulation that no longer exists. The obligations got bigger, the timelines got tighter, and the Department of Financial Services is now actively auditing for compliance with the new language.

This post is what we actually walk clients through during NYDFS readiness engagements. The current state of Part 500 in 2026, what enforcement looks like right now, and the implementation checklist for getting your program back above the waterline.

#Who is covered

A "Covered Entity" under Part 500 is any person or organization "operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law" of New York.

Practically:

• Banks (state-chartered and foreign branches)
• Insurance companies (life, P&C, health)
• Mortgage lenders, brokers, servicers
• Money transmitters
• Virtual currency businesses (BitLicense holders)
• Investment advisers (where state-registered)
• Premium finance agencies
• Charitable foundations that hold certain financial licenses

Exemptions (limited):

• Section 500.19 exemptions for small businesses. Fewer than 20 employees AND less than $7.5M in gross annual revenue from New York operations AND less than $15M in year-end total assets
• Captive insurers and certain reinsurance arrangements
• Even exempt entities must still file Notice of Exemption and comply with a subset (Sections 500.02, 500.03, 500.09, 500.11, 500.13, 500.17, 500.18)

If you're a Covered Entity and have never registered with the DFS cybersecurity portal, that's your first problem.

#What the Second Amendment changed

#Expanded CISO role and accountability

Old (2017): CISO required to be designated, reporting annually to the Board.

New (Amended): CISO must have "adequate authority to ensure cybersecurity risks are appropriately managed." Board or Senior Governing Body must have members with "sufficient understanding of cybersecurity-related matters." CISO reports directly to Board on material cybersecurity issues. CISO signature required on annual certification of compliance (now split into two forms: Certification of Material Compliance or Acknowledgment of Noncompliance).

What this means in practice: the CISO can't be buried three levels under the CIO anymore. If your CISO can't get on the Board calendar, you're in violation.

#Class A Companies: new elevated tier

The amended rule introduces Class A Companies. The largest Covered Entities with elevated obligations:

Threshold (must meet BOTH):

• At least $20 million gross annual revenue from New York operations (averaged over last 2 fiscal years) AND
• More than 2,000 employees OR more than $1 billion gross annual revenue from all operations

Class A Companies face additional requirements:

• Independent audit of cybersecurity program
• Monitoring of privileged access activity
• Automated blocks for commonly used passwords
• Endpoint detection and response (EDR) deployment
• Centralized logging and security event alerting

If you were operating as a "regular" Covered Entity and have since crossed into Class A thresholds (via growth, acquisition, or revenue), your reclassification obligation is on you, not on NYDFS.

#MFA: no more exceptions

Old: MFA "or reasonably equivalent" access controls for remote access, effective 2018.

New: MFA required for ALL of:

• Remote access to Covered Entity's information systems
• Remote access to third-party applications from which nonpublic information is accessible
• All privileged accounts (except service accounts with no interactive login)

"CISO approved compensating controls" allowed only in rare documented cases with annual review. No more "MFA would be hard for the legacy VPN" exceptions.

#Asset inventory and data governance

New Section 500.13(a): Covered Entity must maintain a documented asset inventory that tracks:

• Owner
• Location
• Classification or sensitivity
• Support expiration date
• Recovery time objectives

This isn't theoretical. Auditors are asking to see the CMDB or equivalent. If your inventory is a spreadsheet last updated in 2022, that's a finding.

#Vulnerability management

New Section 500.05: must include automated vulnerability scans and "a prompt process to remediate vulnerabilities." "Prompt" isn't defined, but NYDFS guidance published in 2024 suggests:

• Critical/high severity: within 30 days
• Medium severity: within 60-90 days
• Risk-based exceptions documented by CISO

Vulnerability management must include:

• Annual penetration testing
• Bi-annual vulnerability assessments
• External scans
• Internal scans (including authenticated scans against critical systems)

#Incident reporting: 72 hours and more

Old: notify NYDFS of cybersecurity events within 72 hours.

New: 72-hour window retained, AND:

• Ransomware payment notification within 24 hours of payment
• Written description of reasoning for making a ransomware payment within 30 days, including alternatives considered, due diligence on sanctions screening, and approval by senior leadership
• Ongoing update obligations during the incident

The most aggressive ransomware reporting regime of any US financial regulator. Know what you'll file before you wire ransom money.

#Business continuity and disaster recovery

New Section 500.16: BCDR plans must be in writing, tested annually, and include:

• Roles and responsibilities during an incident
• Recovery strategies for critical systems
• Offline backups
• Designated communication channels for when normal systems are down
• Tabletop exercises involving all relevant personnel

The offline backup requirement is explicit. "Immutable" or "air gapped" backups. The defense against ransomware encrypting your backups along with production. Are now effectively mandatory.

#Annual certification: two flavors

Filed by April 15 each year. Two forms:

Certification of Material Compliance (Form A). CISO and CEO (or equivalent senior officer) attest that during the prior calendar year the Covered Entity was in material compliance with the regulation.

Acknowledgment of Noncompliance (Form B). If not in material compliance, must describe areas of noncompliance, remediation plans, and timelines.

False certifications have been a DFS enforcement priority since 2023. First American Title's $1M settlement specifically cited misrepresentations in prior filings. DO NOT sign Form A if you know about material gaps.

#Enforcement patterns 2024-2026

#Who got hit

| Year | Entity | Penalty | Primary findings |

|---|---|---|---|

| 2020 | First American Title | $1.5M (later $1M settlement) | Exposed 885M records; CISO not properly empowered. False certifications |

| 2020 | Residential Mortgage Services | $1.5M | Failure to investigate and disclose phishing attack |

| 2021 | National Securities Corp | $3M | Four cybersecurity events not reported |

| 2022 | EyeMed Vision Care | $4.5M | Breach affecting 2.1M consumers; MFA gaps. Risk assessment failures |

| 2022 | Robinhood Crypto | $30M | AML + cyber failures including Section 500 violations |

| 2023 | First American Title | $1M | Settlement of long-running case |

| 2024 | OneMain Financial | $4.25M | Third-party risk management failures, access controls |

| 2024 | PayPal (via Venmo-related filings) | $2M | Access control failures, inadequate MFA deployment |

| 2025 | [redacted] regional bank | $8M | EDR gaps, privileged account monitoring, Class A reclassification failure |

#Common findings across enforcement actions

1. MFA gaps. Partial deployment, service accounts with interactive login exempted
2. Third-party risk management. Vendors with access to nonpublic information not assessed
3. CISO authority. CISO exists on paper but has no budget authority or direct Board access
4. Incident reporting delays. Events learned about internally but not reported within 72 hours
5. Risk assessments. Boilerplate risk assessments that don't reflect the entity's systems
6. Access controls. Dormant accounts, shared credentials, privileged access without justification
7. Vulnerability management. Unpatched systems, no documented exception process
8. False certifications. Form A signed with known material gaps

#The 2026 implementation checklist

#Governance (Sections 500.02, 500.03, 500.04)

• [ ] Cybersecurity program documented and approved by Senior Governing Body
• [ ] Written cybersecurity policy addressing all 14 required topics, reviewed annually
• [ ] CISO designated, with documented authority, budget, and direct Board reporting
• [ ] Board includes members with "sufficient understanding" of cybersecurity. Training records, committee composition
• [ ] Written cybersecurity risk assessment reviewed annually and on material change
• [ ] If Class A: documented determination of Class A status, independent audit scheduled

#Technical controls (Sections 500.05, 500.06, 500.07, 500.12, 500.14, 500.15)

• [ ] MFA on all remote access, all privileged accounts, all third-party apps accessing NPI
• [ ] Asset inventory with owner, location, classification, support status, RTO
• [ ] Vulnerability management program with documented scan cadence and remediation SLAs
• [ ] Annual penetration test (external party recommended). We run these
• [ ] Bi-annual vulnerability assessments (internal or external)
• [ ] EDR on all endpoints (Class A) or equivalent monitoring for others
• [ ] Centralized logging with alerting on security events
• [ ] Encryption in transit and at rest for nonpublic information
• [ ] Privileged access management with monitoring (Class A: real-time)
• [ ] Secure development practices if developing applications that handle NPI

#Third-party risk (Section 500.11)

• [ ] Third-party service provider policy
• [ ] Pre-engagement due diligence documented
• [ ] Periodic reassessment (at minimum annually for critical vendors)
• [ ] Contract language requiring MFA, encryption, breach notification, right to audit
• [ ] Inventory of third parties with access to NPI

#Incident response and business continuity (Sections 500.16, 500.17)

• [ ] Written incident response plan
• [ ] Written business continuity and disaster recovery plan
• [ ] Annual tabletop exercises with documented results
• [ ] Offline/immutable backups with tested restore procedures
• [ ] 72-hour notification process documented with filing procedures and contacts
• [ ] Ransomware decision matrix including sanctions screening workflow

#Training and personnel (Sections 500.10, 500.14)

• [ ] Annual cybersecurity training for all personnel
• [ ] Role-specific training for privileged users
• [ ] Phishing simulations or equivalent testing
• [ ] Personnel policies cover cybersecurity responsibilities

#Certification (Section 500.17)

• [ ] Annual certification filed by April 15
• [ ] Certification supported by documented evidence (not CISO/CEO attestation)
• [ ] Known gaps result in Form B (Acknowledgment), not Form A, with remediation plan

#Common failure modes we see in audits

The MFA gap that everyone misses. Service account used by the core banking integration. Not interactive, but it holds privileged access to NPI. Auditor asks "is this MFA?" and the answer is "it's a service account." That answer is no longer acceptable. Service accounts with NPI access need alternative strong authentication (certificate-based, managed identities, secret rotation with vault integration) documented as compensating controls.

The CISO who can't say no. CISO reports to CIO who reports to CFO. CISO has flagged a $200K gap. CIO reprioritizes the budget elsewhere. CISO complies. This structure fails the "adequate authority" test. The fix is either dotted-line reporting to the Board risk committee or documented escalation rights.

The third party that's not assessed. Marketing agency with access to customer contact lists (which include some financial account data if any). The contract says they'll "use industry standard security." That's not a security assessment. That's a lie painted in beige.

The Class A that doesn't know it's Class A. Company grew past the threshold in 2024 via acquisition. Nobody reran the determination. 2025 certification filed as if still a regular Covered Entity. Missing independent audit and EDR requirements. Regulator finds this on first review.

The pentest that never happened. "we had a vulnerability scan." A vulnerability scan isn't a penetration test. The regulation distinguishes between 500.05(a)(1) penetration testing and 500.05(a)(2) vulnerability assessments. If you're filing Form A and you've only been running Nessus, you're filing a false certification.

#What we do in a NYDFS readiness engagement

We run gap analyses against every section of 23 NYCRR Part 500 (as amended), produce a board-presentable executive summary. And follow with implementation support for the gaps.

Typical engagement:

• Week 1: document review, evidence collection, stakeholder interviews
• Week 2: technical testing (authenticated internal scan, external recon, spot-checks on MFA deployment, access reviews)
• Week 3: penetration test focused on NPI-handling systems
• Week 4: report, board presentation, remediation roadmap

For Class A clients we also coordinate the independent audit requirement (Section 500.02(d)) and integrate with existing SOC 2 or ISO 27001 programs.

#Resources

• NYDFS Cybersecurity Regulation text: https://www.dfs.ny.gov/industry_guidance/cybersecurity
• DFS FAQs: https://www.dfs.ny.gov/industry_guidance/cyber_faqs
• NYDFS Cybersecurity Portal: https://www.dfs.ny.gov/apps_and_licensing/cybersecurity_portal
• Enforcement actions: https://www.dfs.ny.gov/reports_and_publications/press_releases
• Amendment history and phased implementation dates: https://www.dfs.ny.gov/industry_guidance/cybersecurity_resource_center

#Hire Valtik Studios

NYDFS penetration testing is a specialty of ours. We handle the annual 500.05 pen test, the risk assessment update. And the evidence packages your CISO uses to sign Form A with confidence. If you're Class A and need the independent audit, we partner with CPA firms that have DFS experience.

Reach us at valtikstudios.com.