The NYDFS 500 CISO Requirement: Who Qualifies, and Can You Outsource It?

The mandate: Section 500.4(a)

Every covered entity must designate a qualified individual as CISO. That person is responsible for running the firm's cybersecurity program, enforcing its policies, and meeting Part 500 requirements. This is not a title you can hand to your IT person as an afterthought. DFS expects the CISO to have the authority and resources to actually run the program.

Outsourcing is permitted, with strings attached

Section 500.4(a) explicitly allows the CISO function to be fulfilled by an affiliate or a qualified third-party service provider. This is where the "virtual CISO" model comes in, and it is a legitimate path for firms that cannot justify a full-time hire.

But there are conditions:

• You still need an internal senior liaison. The regulation requires a senior member of your firm's personnel to be responsible for the direction and oversight of the third-party CISO. You cannot fully outsource accountability. Someone inside the firm must own the relationship, relay information to leadership, and ensure the outsourced CISO has the access they need.
• The outsourced CISO must meet the same standard. Whether in-house or external, the CISO must be qualified. DFS does not define "qualified" with a specific certification requirement, but the expectation is clear: this person must have sufficient cybersecurity knowledge and experience to manage the program.
• Covered entity remains responsible. Outsourcing the function does not outsource the liability. Your firm is still on the hook for everything the CISO is supposed to do. If the third-party CISO fails to deliver, DFS comes after your firm, not theirs.

The annual report to the board

The CISO must deliver a written report to the board of directors (or equivalent governing body) at least annually. The report must cover:

• The confidentiality of nonpublic information and the integrity of information systems
• The security of the firm's cybersecurity program and its alignment with the firm's risk profile
• The effectiveness of the program, including material gaps, deficiencies, and areas for improvement

This is not a slide deck you put together the night before. The board report should be detailed enough that someone reading it two years later can understand what shape the program was in at the time. It has to hold up if a regulator pulls it.

Reporting between annual reports

The CISO also has to promptly report material cybersecurity issues to the board between annual reports. "Material" is doing real work in that sentence. A phishing email that got caught by your filter probably does not qualify. A vendor breach that exposed customer data almost certainly does. If you're debating whether something is material, report it. Underreporting is a harder position to defend than overreporting.

The board's responsibility

The 2023 amendments added something new here: the board has to understand cybersecurity well enough to exercise real oversight. DFS recognized that most board members are not security experts, so the regulation allows boards to use advisors, internal or external, to fill in the gaps.

But "use advisors" does not mean "check out entirely." The board must be engaged enough to ask informed questions, evaluate the CISO's report, and make resourcing decisions. If the CISO says the program needs more funding and the board ignores them, that is a governance failure DFS will notice.

Small firm exemption

Not every firm needs a CISO. Section 500.19 provides a limited exemption for firms that meet any one of these criteria:

• Fewer than 20 employees and independent contractors
• Less than $7.5 million in gross annual revenue in each of the last three fiscal years
• Less than $15 million in total year-end assets

Exempt firms file a Notice of Exemption and are excused from a subset of Part 500 requirements, including the CISO mandate. But the exemption is narrow. Even exempt firms must maintain a cybersecurity program, implement access controls, and report cybersecurity events. And if you grow past the thresholds, you lose the exemption and must designate a CISO.

Personal liability and the annual certification

This is the part that gets people's attention. The CISO co-signs the annual certification filed under Section 500.17(b), alongside the CEO. That signature is a personal attestation that the firm materially complied with Part 500 during the prior year.

If that certification turns out to be false, both signers face potential enforcement action. DFS has made clear that it views false certifications seriously. This is not an area where you sign and hope for the best. If your outsourced CISO is co-signing, they need to have been deeply enough involved throughout the year to stand behind the attestation.

Making it work in practice

If you are going the outsourced CISO route, set expectations early:

• Define the scope of the engagement in writing. The CISO should know exactly which Part 500 obligations they are responsible for overseeing.
• Designate your internal liaison and make sure they have the authority to act on the CISO's recommendations.
• Schedule the annual board report well before certification season. The report informs the certification, not the other way around.
• Establish a clear escalation path for material issues so the CISO can report to the board promptly, not just annually.

The short version

You need a CISO unless you qualify for the small firm exemption. Outsourcing works, but it does not remove your firm's responsibility. The CISO, whether internal or external, will co-sign your annual certification and carry personal liability for that attestation. Pick the right person and set the relationship up properly. Make sure your board is paying attention.

Want to see how other firms structure their CISO reporting? BlackSheep tracks every Part 500 obligation and makes board reporting straightforward.