Cyber Horizon
Back to Blog
NYDFS 500Financial ServicesUS

NYDFS Part 500: A Cybersecurity Compliance Guide for Financial Services

19 June 2026·8 min read·Cyber Horizon Team

New York’s 23 NYCRR Part 500 was the first prescriptive cybersecurity regulation for financial services in the US — and the recent Amendment 2 made it tougher. If you hold a licence from the New York Department of Financial Services (NYDFS), it’s binding, with annual certification by your board or a senior officer.

Who it applies to

Any “Covered Entity” operating under a NYDFS licence — banks, insurers, mortgage lenders, money transmitters and many fintechs. Smaller firms may qualify for limited exemptions but still must meet a core subset. Crucially, it reaches well beyond New York: if you’re NYDFS-licensed, it applies wherever you operate.

Core requirements

Cybersecurity programme & policy

A documented programme and board-approved policy, based on a risk assessment.

A qualified CISO

A named CISO who reports to the board in writing at least annually.

MFA everywhere it matters

Multi-factor authentication for remote and privileged access (tightened under Amendment 2).

Asset inventory

A documented, maintained inventory of information systems.

Encryption & access controls

Encryption of non-public information and least-privilege access reviews.

Incident response & 72-hour reporting

A tested IR plan, plus notification to NYDFS within 72 hours of a reportable event (and reporting of ransomware payments).

What Amendment 2 changed

The 2023 amendment raised the bar: enhanced obligations for larger “Class A” companies (independent audits, expanded MFA, endpoint detection), explicit governance and CISO-authority requirements, asset-management and vulnerability-management mandates, and a stricter certification — senior officers must now certify material compliance or file an acknowledgement of non-compliance with a remediation plan.

How to comply

  • Run (and document) the risk assessment that the whole programme must be based on.
  • Confirm CISO authority and the annual written board report.
  • Close the MFA, asset-inventory and vulnerability-management gaps Amendment 2 emphasises.
  • Stand up 72-hour incident reporting and a tested IR plan.
  • Prepare the annual certification with evidence — not just a signature.

The bottom line

Part 500 turned financial-services cybersecurity from guidance into a certifiable legal obligation with personal accountability at the top. Treat it as a continuous, evidence-backed programme — most of its controls overlap heavily with NIST CSF, ISO 27001 and FFIEC, so the work compounds.

Keep NYDFS 500 certification-ready

Cyber Horizon maps NYDFS Part 500 to your controls, automates the evidence, and keeps your CISO board report and annual certification backed by data — alongside NIST, ISO and FFIEC.

Book a Demo