Who is a Covered Entity?

Any individual or organization operating under (or required to operate under) a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law — for example NY-licensed banks, insurers, mortgage companies, and money transmitters. Limited exemptions exist for very small entities, but even exempt entities must meet a reduced subset of requirements.

What changed in the Second Amendment?

The Second Amendment was adopted November 1, 2023 and phased in through November 1, 2025. It added universal multi-factor authentication (§500.12) and documented asset-inventory requirements (§500.13), strengthened governance and senior-governing-body oversight, expanded incident reporting (including ransomware-payment notification), and created a 'Class A company' tier with enhanced requirements. As of November 1, 2025 all phased requirements are in effect.

What is a Class A company?

A larger Covered Entity subject to enhanced requirements — generally those with at least $20 million in gross annual revenue from New York operations over the last three fiscal years and either more than 2,000 employees or more than $1 billion in gross annual revenue (averaged over the last two years, including affiliates). Class A companies must perform independent audits, deploy endpoint detection and response and privileged access management, and conduct more rigorous risk assessments.

When is the annual certification due?

Covered Entities must file an annual notice to the DFS by April 15 — either a certification of material compliance for the prior calendar year or a written acknowledgment of non-compliance that identifies the gaps and includes a remediation timeline. It must be signed by the highest-ranking executive and the CISO.

NY DFS Part 500, without the binder

Comply with the NY DFS Cybersecurity Regulation

A written cybersecurity program, MFA and asset inventory under the Second Amendment, 72-hour incident reporting, and a defensible annual certification — all driven by live control evidence.

Start free trial Book a demo

What is the NY DFS Cybersecurity Regulation?

The New York State Department of Financial Services (DFS) Cybersecurity Regulation — 23 NYCRR Part 500 — sets cybersecurity requirements for financial-services companies that DFS regulates. First effective on March 1, 2017, it was one of the first comprehensive, prescriptive state cybersecurity rules in the United States, and it became a template for later frameworks such as the NAIC Insurance Data Security Model Law.

Part 500 is risk-based but specific: it requires a written cybersecurity program and policy, a designated Chief Information Security Officer (CISO), periodic risk assessments, and a defined set of technical and governance controls to protect Nonpublic Information (NPI). It also requires Covered Entities to report cybersecurity events to the DFS superintendent within 72 hours and to certify their compliance annually.

Who must comply

The regulation applies to Covered Entities — any person or organization operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. That includes NY-licensed banks, insurers, mortgage servicers, and money transmitters. Small entities can qualify for limited exemptions but still must meet a reduced subset of the requirements.

The Second Amendment introduced a Class A company tier — larger entities (generally at least $20M in NY-sourced gross annual revenue over three fiscal years, and either more than 2,000 employees or more than $1B in gross annual revenue averaged over two years, including affiliates) — which face enhanced obligations including independent audits, endpoint detection and response (EDR), and privileged access management (PAM).

The Second Amendment

DFS adopted the Second Amendment to Part 500 on November 1, 2023, with requirements phased in through November 1, 2025. As of that final date, the amended regulation is fully in effect. The most significant additions:

Multi-factor authentication for all access (§500.12) — MFA is now required for any individual accessing any information system of a Covered Entity, not just remote or privileged access.
Asset inventory (§500.13) — written policies and procedures to maintain a complete, accurate, documented inventory of information systems.
Stronger governance — the CISO must report on the cybersecurity program to the senior governing body, which is expected to exercise meaningful oversight; policies must be approved by the senior governing body or a senior officer.
Expanded incident reporting — in addition to the 72-hour cybersecurity-event notification, Covered Entities must notify DFS of an extortion (ransomware) payment within 24 hours and provide a written explanation within 30 days.
Class A enhanced requirements — independent audits, EDR, PAM, and more rigorous, expert-led risk assessments.

Core requirements

Part 500 covers the controls most security teams already recognize: a written program and policy (§§500.2–500.3), a CISO (§500.4), penetration testing and vulnerability assessments (§500.5), audit trails (§500.6), access privilege management (§500.7), application security (§500.8), risk assessment (§500.9), security personnel and training (§§500.10, 500.14), third-party service provider security policy (§500.11), MFA (§500.12), asset management and data retention (§500.13), monitoring and encryption of NPI (§500.15), an incident response and business continuity plan (§500.16), and notification plus the annual certification (§500.17).

The annual certification

Each year, a Covered Entity must file a notice to DFS by April 15 covering the prior calendar year — either a certification of material compliance or a written acknowledgment that identifies the areas of non-compliance and a remediation plan with timelines. The filing must be signed by the entity's highest-ranking executive and its CISO, and the entity must retain the records and documentation supporting it. A weak or undocumented certification is one of the most common sources of DFS enforcement exposure.

How NY DFS maps to other frameworks

Most Part 500 requirements overlap heavily with controls you may already maintain. For US insurers and carriers, the NAIC Insurance Data Security Model Law is the closest parallel, and the ISO 27001 Annex A controls, SOC 2 Trust Services Criteria, and NIST CSF outcomes cover the large majority of Part 500 technical and governance requirements. Mapping NYDFS to a shared control set means a single piece of evidence — an access review, a pen-test report, a risk assessment — can satisfy multiple programs at once.

How episki helps

episki implements 23 NYCRR Part 500 as living controls cross-mapped to your other frameworks, so your NYDFS program reuses evidence you already collect for ISO 27001, SOC 2, or NAIC. The CISO report, risk assessment, 72-hour and ransomware notifications, and the §500.17 annual certification are produced from real control evidence — not a parallel binder you rebuild every April.

NY DFS Part 500 outcomes with episki

Quantify the impact security and compliance brings to your business.

23 NYCRR 500

The full NYDFS Cybersecurity Regulation implemented as living episki controls.

72-hour

Cybersecurity-event reporting to the DFS superintendent tracked with deadline timers.

Annual cert

Section 500.17 certification of material compliance, evidenced and ready to sign by April 15.

Why teams choose episki for NY DFS Part 500

Framework-specific automation, collaboration, and reporting in one workspace.

Second Amendment, fully covered

Every requirement phased in through November 1, 2025 — implemented as controls, not a checklist.

Universal MFA (§500.12) and asset inventory (§500.13)
Expanded governance and senior-governing-body oversight
Class A enhanced requirements scoped when they apply

CISO program and reporting

The written program, policies, and CISO reporting the regulation requires — kept current automatically.

Board/senior-governing-body-approved policies
CISO written report to the governing body
Annual risk assessment tied to control treatments

Reporting and certification

Hit the 72-hour and ransomware-payment notification windows, and build the annual certification from real evidence.

72-hour cybersecurity-event notification workflow
Ransomware extortion-payment reporting (24h / 30-day)
§500.17 certification or acknowledgment with remediation plan

NY DFS Part 500 readiness inside episki

What a New York-regulated financial institution needs preloaded.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Written cybersecurity program and policies (§500.2, §500.3)
✓ CISO designation and annual written report (§500.4)
✓ Risk assessment kept current (§500.9)
✓ Multi-factor authentication across all access (§500.12)
✓ Asset inventory policies and procedures (§500.13)
✓ Incident response and BCDR plans (§500.16)
✓ 72-hour cybersecurity-event reporting (§500.17(a))
✓ Annual certification of material compliance (§500.17(b))

NY DFS accelerators

Part 500 program accelerators

Stand up a defensible NYDFS program and reuse the work across your other obligations.

Certification builder

Assemble the §500.17 certification (or acknowledgment of non-compliance with a remediation plan) from live control evidence.

Reporting timers

72-hour cybersecurity-event and ransomware-payment notification clocks with owner assignment.

NAIC / ISO 27001 crosswalk

Reuse NYDFS evidence against the NAIC Model Law, ISO 27001, and SOC 2.

NY DFS Part 500 frequently asked questions

Build a defensible Part 500 program in episki

Implement 23 NYCRR 500 once, report on time, and reuse the evidence across NAIC, ISO 27001, and SOC 2.

Start free trial Book a walkthrough