NYDFS 23 NYCRR Part 500: The Complete Implementation Guide for 2026

#The regulation that actually enforces

New York financial services firms have been under 23 NYCRR Part 500 since 2017. I've watched the compliance posture in the industry evolve across three phases. Phase one (2017-2020) was "figure out what this requires." Phase two (2021-2023) was "build programs." Phase three, the one we're in now, is "keep up with the enforcement."

The New York Department of Financial Services treats Part 500 as its single most important tool. DFS enforcement has produced real multi-million dollar settlements. First American Title $1M. EyeMed $4.5M. Robinhood $30M. These aren't theoretical. They're signed consent orders published on the DFS website. Every settlement is a map of where enforcement is focused.

The November 2023 Second Amendment raised the bar. Phased implementation ran through November 2025. Now, in Q2 2026, DFS is auditing against the amended text. If your compliance program was last rebaselined against the 2017 rule, you are operating under a regulation that no longer exists. And the risk of finding out via enforcement is real.

This is the complete 2026 implementation guide for 23 NYCRR Part 500. Every section mapped to what it requires in practice. The Second Amendment changes in plain English. Budget ranges. How DFS examinations actually run. And the enforcement patterns we see most often.

#Who this applies to

Part 500 applies to "Covered Entities." Defined as any person or entity operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization from DFS under:

• New York Banking Law
• New York Insurance Law
• New York Financial Services Law

Common examples:

• Banks and credit unions
• Insurance companies, agents, brokers, producers
• Insurance premium finance companies
• Mortgage bankers and brokers
• Money transmitters
• Licensed lenders
• Virtual currency businesses (BitLicense holders)
• Holding companies with covered subsidiaries

Exemptions exist. Small Covered Entities under the thresholds qualify for partial exemption:

• Fewer than 20 employees (including independent contractors)
• Less than $10M in NY revenue in the prior three years
• Less than $25M in total assets

Small exemption gives relief from several (not all) requirements. Even small Covered Entities must maintain a cybersecurity program, risk assessment, and incident reporting.

#The Second Amendment timeline

Published November 1, 2023. Phased implementation:

• April 29, 2024. Most new/amended requirements effective.
• November 1, 2024. Privileged access management, multi-factor authentication on all remote access.
• May 1, 2025. Encryption of nonpublic information, asset inventory, CISO qualifications.
• November 1, 2025. Business continuity + DR testing, vulnerability management program.

As of writing this in Q2 2026, every phase is past. Full compliance is the current expectation.

#Section 500.1. Definitions

Key terms defined:

• Cybersecurity event. Any act or attempt to gain unauthorized access, disrupt, misuse, or harm an Information System or nonpublic information. Very broad. Includes attempts.
• Cybersecurity incident. A cybersecurity event that has occurred (not just attempted) that resulted in unauthorized access to nonpublic information.
• Nonpublic information. Three categories. Business information (confidential), personally identifiable information, health information.
• Affiliate. Any entity that controls, is controlled by, or is under common control with the Covered Entity.

Definitions matter because reporting obligations are triggered by them.

#Section 500.2. Cybersecurity program

Required elements:

• Identify risks and protect against unauthorized access
• Detect cybersecurity events
• Respond to and recover from cybersecurity events
• Fulfill regulatory reporting obligations

The framework. Every other section unpacks specific controls. Think of 500.2 as the table of contents.

#Section 500.3. Cybersecurity policy

Written policy covering at minimum:

• Information security
• Data governance and classification
• Asset inventory and management
• Access controls and identity management
• Business continuity and disaster recovery
• Systems operations and availability
• Systems and network security
• Systems and application development and quality assurance
• Physical security and environmental controls
• Customer data privacy
• Vendor and third party service provider management
• Risk assessment
• Incident response
• Notification process

Policy reviewed and updated annually. Approved by Board or senior officer. Risk assessment-driven.

#Section 500.4. CISO requirements

Covered Entity must designate a Chief Information Security Officer (or qualified equivalent) responsible for overseeing the cybersecurity program.

The Second Amendment added specific qualifications. CISO must have "adequate authority to ensure the development and implementation of an effective cybersecurity program."

Can be:

• Full-time CISO internal to the Covered Entity
• Part-time CISO
• Affiliate (shared CISO across subsidiaries)
• Third-party service provider (virtual CISO / vCISO)

If vCISO, Covered Entity must designate a senior officer responsible for direction and oversight.

CISO must report in writing to the Board at least annually. Report covers cybersecurity program state, risk, material events.

#Section 500.5. Penetration testing + vulnerability assessments

Two distinct requirements:

Penetration testing. Annual minimum. Based on risk assessment.

Vulnerability assessments. Continuous (automated scanning). Manual review at minimum annually.

Scope includes all Information Systems of the Covered Entity.

Pentest typically structured as:

• External network pentest
• Internal network pentest
• Web application pentest (if internet-facing apps exist)
• Specific pentest addressing material changes since last test

Evidence: Report retained 5 years. Findings tracked in POA&M. Remediation verified.

#Section 500.6. Audit trail

Covered Entity must maintain systems that include audit trails designed to detect and respond to cybersecurity events.

At minimum, audit trails must:

• Track privileged access
• Be maintained for at least 5 years (financial transactions)
• Be maintained for at least 3 years (other system events)
• Be protected from tampering

SIEM is the standard technical answer. Centralized log aggregation, tamper-resistant storage, alerting on privileged access events.

#Section 500.7. Access privileges

Periodic access reviews. Privileged access limited to the principle of least privilege. Revoke access upon termination.

The Second Amendment added explicit requirements:

• Privileged access review at minimum annually
• Review of shared accounts and service accounts
• Formal offboarding process with access revocation within 24 hours

Privileged Access Management (PAM) tool not explicitly required but increasingly expected. CyberArk, BeyondTrust, Delinea. At minimum, documented procedures + auditable logs for privileged access.

#Section 500.8. Application security

Software development lifecycle procedures to protect application security. Periodic assessment of third-party software.

For in-house development:

• Secure coding standards
• Code review procedures
• Application vulnerability testing
• Change management

For third-party software:

• Vendor security questionnaires
• Application testing (static/dynamic/interactive analysis)
• Patch management

#Section 500.9. Risk assessment

Risk assessment conducted at least annually. Documented. Reviewed and updated. Used as basis for the cybersecurity program.

Not a checklist exercise. Must address:

• Confidentiality of nonpublic information
• Integrity and security of Information Systems
• Availability of Information Systems
• Third-party risks
• Emerging threats

The risk assessment drives everything else. Control intensity proportional to risk.

#Section 500.10. Cybersecurity personnel

Qualified cybersecurity personnel sufficient to manage the cybersecurity risks.

Training for cybersecurity personnel, including continuous training. Verification that personnel maintain current knowledge.

In practice, DFS looks for:

• Dedicated cybersecurity headcount proportional to the firm
• Training records
• Certifications (CISSP, CISM, CISA, OSCP for offensive roles)
• Continuing education

#Section 500.11. Third-party service providers

One of the most frequently assessed sections. Covered Entity must have policies for:

• Due diligence on third parties
• Contracts requiring security obligations
• Periodic assessment
• Termination procedures

Concrete requirements include:

• Risk-based vendor classification
• Cybersecurity questionnaires
• Annual (or more frequent based on risk) vendor assessment
• Contractual incident notification requirements
• Right to audit or request evidence

The Second Amendment specifies that third parties must be assessed against the same controls the Covered Entity itself uses. If you require MFA internally, you must require it from vendors that access nonpublic information.

#Section 500.12. Multi-factor authentication

The Second Amendment expanded MFA dramatically.

Before. MFA required for:

• Remote access to internal network
• Remote access to nonpublic information

After (Second Amendment). MFA required for:

• Any individual accessing nonpublic information
• Privileged access
• Third parties accessing Information Systems

The expansion is enormous. Effectively every authenticated access path to nonpublic information requires MFA.

Phishing-resistant MFA (FIDO2, platform authenticators) explicitly preferred for privileged access. SMS-based MFA discouraged and increasingly insufficient.

#Section 500.13. Limits on data retention

Nonpublic information retained only as long as necessary for business or regulatory purposes. Secure disposal when no longer needed.

Documented retention schedule required. Systems capable of enforcing retention. Secure disposal documented.

#Section 500.14. Training + monitoring

Annual cybersecurity awareness training for all personnel.

The Second Amendment added specific requirements:

• Phishing-specific training
• Simulated phishing exercises
• Role-based training for personnel with privileged access
• Training for managing third-party services

Evidence: completion rates, phishing simulation metrics, role-based training records.

#Section 500.15. Encryption

Nonpublic information encrypted at rest and in transit.

Second Amendment strengthened:

• AES-256 or equivalent minimum
• TLS 1.2 minimum (TLS 1.3 recommended)
• Documented key management
• Compensating controls permitted only with documented risk acceptance

If encryption is infeasible, compensating controls must be in place. "Infeasible" is narrowly interpreted. A legacy system that can't support modern encryption is infeasible only if you've documented why replacement isn't practical.

#Section 500.16. Incident response plan

Written IR plan. Annually tested. Covers detection, response, notification, recovery, post-event analysis.

DFS-specific reporting requirements apply. Significant cybersecurity events reported to DFS within 72 hours. Reporting includes:

• Events where notice is required to regulators or third parties
• Events that reasonably required disruption of Information Systems
• Material ransomware/extortion events (even if no data breach)

72-hour window is shorter than many states and shorter than SEC's 4-day rule for public companies. Fast reporting matters.

#Section 500.17. Notices to superintendent

72-hour notification to DFS for cybersecurity events meeting threshold.

Additional annual notification: certification of material compliance with Part 500. Signed by CISO or senior officer. Filed by April 15 of each year.

#Section 500.18. Confidentiality of cybersecurity reports

Reports filed with DFS are confidential to the extent permitted by law. Covered Entity's internal reports to Board are similarly protected.

#The enforcement pattern in 2024-2026

DFS enforcement actions we've tracked:

• First American Title ($1M, 2023). Mortgage record exposure affecting hundreds of millions of records. Root cause: file URLs predictable, no authentication. Settlement for program deficiencies.
• EyeMed ($4.5M, 2022). Phishing of employee email, PII exposure of 2.1M consumers. Root cause: insufficient MFA, audit trail deficiencies.
• Robinhood ($30M, 2022). Multiple AML + cybersecurity deficiencies. Part 500 violations cited.
• NYDIG ($1.2M, 2023). Inadequate cybersecurity program for crypto custody.
• PayPal ($2M, 2024). Cybersecurity program gaps related to credential stuffing attack.

Common root causes:

• MFA gaps on privileged access
• Inadequate third-party risk management
• Insufficient audit trails
• Delayed incident reporting (violated 72-hour rule)
• CISO governance deficiencies
• Encryption gaps

The pattern. DFS is not enforcing on novel interpretations. They're enforcing on basic control failures.

#The DFS examination

How DFS actually conducts a Part 500 examination.

Pre-examination (typically 30-60 days before on-site).

• Notification letter sent
• Document request issued (SSP, policies, org charts, risk assessment, incident reports, pentest/vuln assessment results, vendor list with classifications)
• Meeting scheduled

Examination period (typically 2-4 weeks).

• On-site or virtual (post-2021 mostly virtual)
• CISO interviewed
• Technical staff interviewed
• Board governance review
• Specific controls tested
• Third-party vendor oversight reviewed
• Incident response plan reviewed

Post-examination.

• Preliminary findings discussed
• Management response
• Formal findings report
• Resolution. Either corrective action plan or enforcement action

Finding severity:

• Corrective actions. Most findings. Clear timelines expected. No immediate penalty.
• Enforcement referrals. Serious findings. Signed consent orders, monetary penalties, public disclosure.

#The compliance program framework

What a working Part 500 compliance program looks like in practice.

#Governance layer

• Board cybersecurity committee (or Board designee with cyber oversight)
• CISO with documented authority
• Quarterly Board reporting
• Annual independent review of the cybersecurity program
• Documented cybersecurity strategy

#Risk management

• Annual risk assessment (plus event-triggered updates)
• POA&M tracking all identified gaps
• Risk register with formal acceptance sign-offs
• Third-party risk classifications

#Technical controls

• MFA on every authenticated access to NPI
• PAM for privileged access
• SIEM with 5-year log retention
• EDR on every endpoint
• Encryption at rest + in transit with AES-256/TLS 1.2+
• Network segmentation isolating NPI-handling systems
• Pentest annually, vulnerability scan continuously

#Operational procedures

• Documented IR plan with 72-hour DFS notification workflow
• Tested DR + BCP (annually)
• Quarterly access reviews
• Annual training with phishing simulations
• Vendor questionnaires + annual assessments

#Evidence

• All of the above documented, timestamped, auditable
• 5-year retention for financial-system audit trails
• 3-year retention for other system audit trails
• Policy version history preserved

#Budget ranges

For a mid-market NY insurer or financial services firm (250-2500 employees):

Year-one compliance investment. $800K-$3M.

• Consulting + gap analysis: $100K-$400K
• Pentest + vuln assessment: $50K-$150K
• SIEM + EDR licensing: $150K-$500K
• PAM deployment: $80K-$400K
• MFA expansion: $50K-$200K
• CISO (external vCISO or internal hire + training): $150K-$400K/year
• Internal program team: $200K-$800K/year
• Board reporting infrastructure: $20K-$100K

Ongoing annual cost. $400K-$1.5M.

Firms that cut corners here tend to accumulate findings that lead to enforcement. Budget proportional to risk.

#The common implementation gaps

From our Part 500 readiness engagements, the gaps that keep appearing:

1. MFA gaps on legacy access paths. API access, service accounts, vendor remote access.
2. Audit trail retention insufficient. 3-year retention on transactional logs when 5 years is required.
3. Third-party risk program exists but doesn't actually assess vendors. Questionnaires go out, responses get filed, no actual validation.
4. Incident response plan exists but hasn't been tested. Or the test was 2 years ago.
5. Risk assessment from 2022 never updated. Controls no longer reflect the risk landscape.
6. CISO authority insufficient. Reports to CIO without Board access. Undermined in practice.
7. Vendor contracts lack 72-hour incident notification clauses. Breaches at vendors go unreported for weeks.
8. Encryption key management not documented. "AES-256" stated without supporting procedures.
9. Privileged access rotation unenforced. Domain admin passwords unchanged since 2018.
10. BCP/DR tested on a single isolated scenario, not meaningfully. Paper tests without failover.

Each is preventable with ongoing operational discipline.

#Working with us

We run Part 500 compliance readiness engagements for financial services firms operating in New York. Our typical engagement includes:

• Full gap assessment against the current (Second Amendment) text
• POA&M development
• CISO oversight support (vCISO engagement if desired)
• Technical control implementation assistance
• Pentest + vulnerability assessment execution
• IR plan development + tabletop facilitation
• Pre-examination preparation if DFS has initiated an exam

We work with Connecticut-based financial firms with NY licensing (common pattern) as well as firms based elsewhere in the US that need Part 500 coverage.

Valtik Studios, valtikstudios.com.