Laws & Regulations23 NYCRR Part 500
In Forcefinancial23 NYCRR Part 500
NYDFS Cybersecurity Regulation
Also known as: 23 NYCRR Part 500
NYDFS Part 500 is one of the most comprehensive state-level cybersecurity regulations in the US. It applies to all financial services companies licensed in New York and requires a risk-based cybersecurity program, a CISO, MFA, encryption, penetration testing, and annual certification. The 2023 Second Amendment added new requirements for Class A companies (500+ employees or $10B+ revenue) including enhanced controls, independent audits, and additional technical safeguards.
Jurisdiction
New York
Regulator
New York Department of Financial Services
Effective
11/1/2023
Sector
financial
Full Text / Summary
The regulation was first adopted in 2017 and significantly amended in November 2023. The Second Amendment introduced: (1) Class A company requirements for enhanced controls; (2) mandatory encryption of nonpublic information in transit and at rest; (3) endpoint detection and response (EDR) requirements; (4) SIEM or equivalent monitoring; (5) 24-hour ransomware payment notification; (6) enhanced third-party risk management; (7) independent audit requirements for Class A companies. The regulation is organized into 23 sections covering the cybersecurity program, policies, CISO, penetration testing, access privileges, application security, risk assessment, multi-factor authentication, limitations on data retention, training, encryption, incident response, notifications, documentation, and exemptions.