What is NYDFS 23 NYCRR 500?

23 NYCRR 500 is the New York Department of Financial Services cybersecurity regulation. It requires DFS-regulated financial services companies to maintain a cybersecurity program, designate a CISO, conduct risk assessments, implement MFA and encryption, maintain incident response plans, and certify compliance annually by April 15.

Who must comply with NYDFS 500?

All entities operating under a DFS license, registration, or charter. This includes banks, insurance companies, mortgage brokers, money transmitters, licensed lenders, and investment advisers regulated by DFS. Third-party service providers to covered entities are indirectly affected through contractual requirements.

When is the NYDFS 500 annual certification due?

Covered entities must certify or acknowledge compliance by April 15 each year, covering the prior calendar year. The certification must be signed by the highest-ranking executive and the CISO, and filed through the DFS cybersecurity portal.

Are small firms exempt from NYDFS 500?

Small firms (under 20 employees, under $5M revenue, or under $15M total assets) get limited exemptions from certain requirements like having a CISO and penetration testing. But they must still maintain a cybersecurity program, policy, training, encryption, MFA, and incident notification procedures.

Annual certification due April 15

NYDFS 23 NYCRR 500 compliance for firms that serve clients in New York

New York's cybersecurity regulation is specific: a designated CISO, annual penetration testing, MFA for privileged accounts, encryption at rest and in transit, and a certification you sign every April. BlackSheep maps each requirement and tracks where you stand.

Start Free Trial See what's required

$249/month · All features included · No credit card to start

April 15

Annual certification deadline

72 hours

Incident notification to DFS

Policy areas required by Section 500.3

2023

Major amendments (phased through 2025)

What 23 NYCRR 500 requires

Unlike principles-based regulations, 23 NYCRR 500 tells you what controls to have.
Here is what DFS wants to see.

§500.4

CISO Designation

Designate a qualified CISO responsible for your cybersecurity program. Can be in-house, an affiliate, or a third party. Must report annually to senior leadership.

§500.9

Risk Assessment

Conduct risk assessments at least annually. They should feed directly into your program design. Document the risks, evaluate your controls, and plan mitigations.

§500.5

Penetration Testing

Annual penetration testing and bi-annual vulnerability assessments. The 2023 amendments added automated scanning requirements.

§500.12

Multi-Factor Authentication

MFA for remote access and all privileged accounts. The 2023 amendments pushed the scope well past what most firms had in place. No exceptions for convenience.

§500.15

Encryption

Encrypt nonpublic information in transit and at rest. Compensating controls need written CISO approval and annual review.

§500.3

Written Policy

A written cybersecurity policy covering 15 areas: data governance, access controls, business continuity, monitoring, incident response, physical security, and more.

§500.17

Incident Notification

Notify DFS within 72 hours of a cybersecurity event. Ransomware payments require separate 72-hour notification, plus a 30-day written follow-up.

§500.14

Training

Cybersecurity awareness training for all personnel, updated to reflect current risks. At minimum annual after the 2023 amendments.

§500.17(b)

Annual Certification

Certify compliance by April 15 each year. Signed by the CEO and CISO. Since the 2023 amendments, you can also file an acknowledgment of noncompliance with a remediation plan.

Does your firm size matter?

Small business exemption

Under 20 employees, under $5M revenue, or under $15M assets

Exempt from CISO requirement
Exempt from penetration testing
Exempt from vulnerability assessments
Exempt from audit trail requirements

Still required: cybersecurity program, policy, training, encryption, MFA, incident notification

Standard covered entity

Most DFS-regulated firms

Full compliance required
CISO designation mandatory
Annual pen testing
Annual certification by April 15
72-hour incident notification

Class A company

$20M+ NY revenue AND 2,000+ employees or $1B+ total revenue

Everything above, plus:
Annual independent audits
Endpoint detection and response (EDR)
Centralized logging and alerting
Additional monitoring requirements

Common questions about NYDFS 500

Does this apply to SEC-registered RIAs?

It depends on your DFS nexus. If your firm operates under a DFS license or registration, or is an affiliate of a DFS-regulated entity (like a bank-affiliated adviser), yes. Many SEC-registered RIAs are regulated by the NY Attorney General's office, not DFS, so 500 doesn't apply to them directly. If you're subject to both SEC and DFS oversight, you comply with both Reg S-P and 500.

Can our CISO be a third party?

Yes. The CISO can be employed by the entity, an affiliate, or a third party service provider. But your firm retains responsibility for the cybersecurity program. The CISO must report in writing at least annually to senior leadership.

What happens if we can't fully certify by April 15?

The 2023 amendments added the option to file an acknowledgment of noncompliance instead of a certification. It must identify the areas of noncompliance, the remediation plans, and the timelines. This is better than falsely certifying, but it does put you on DFS's radar.

How does NYDFS 500 differ from SEC Reg S-P?

500 is more prescriptive. It mandates specific controls: CISO, MFA, encryption, penetration testing, annual certification. Reg S-P is principles-based: written policies, incident response, vendor oversight. If you're subject to both, 500 usually asks for more.

What are the penalties for non-compliance?

DFS can assess penalties per violation, per day, and they add up fast. DFS has brought multi-million dollar enforcement actions. They can also impose remedial measures, put you on a supervised compliance program, or revoke your license.

Deep dives

The NYDFS 500 Annual Certification: What to Know Before April 15

Two filing options, dual signature, five-year retention.

The NYDFS 500 CISO Requirement: Who Qualifies, and Can You Outsource It?

What the regulation actually requires and how to comply.

NYDFS 500 vs. SEC Reg S-P: Which Applies and Which Sets the Higher Bar?

Prescriptive vs. principles-based. How to build one program that covers both.

Related frameworks

SEC Reg S-P

The Safeguards Rule. Mandatory for SEC-registered RIAs by June 2026.

NIST CSF 2.0

The framework regulators reference. Maps to both Reg S-P and NYDFS 500.

DOL EBSA Cybersecurity Guidance

Cybersecurity best practices for ERISA-covered retirement plan fiduciaries.

FINRA Cybersecurity Checklist

Core cybersecurity controls for broker-dealers and FINRA-registered firms.

April 15 comes every year. Will you be ready next time?

Stop scrambling before certification. BlackSheep tracks your NYDFS 500 compliance year round so the annual filing is a formality, not a fire drill. Templates are already built. You fill in what applies to your firm.

$249/month. That's less than one hour of a compliance consultant's time.

Start Free Trial

14-day free trial. No credit card. 30-day money-back guarantee.