A practical news guide to the NYDFS cybersecurity regulation, including who is covered, deadlines, MFA, reporting, exemptions, third-party risk and 2026 guidance.
Last checked: May 27, 2026. This article summarizes public NYDFS materials and is not legal advice. Covered entities should confirm obligations with the final rule, DFS guidance, counsel and their compliance teams.
Quick answer
The NYDFS Cybersecurity Regulation, officially 23 NYCRR Part 500, is New York's cybersecurity rule for many financial services organizations supervised by the New York State Department of Financial Services. It applies to covered banks, insurers, mortgage businesses, money transmitters, virtual currency businesses and other entities that operate under a DFS license, registration, charter, certificate, permit, accreditation or similar authorization.
Part 500 is no longer just an annual paperwork exercise. After the Second Amendment became effective on November 1, 2023, requirements were phased in through 2024 and 2025. As of 2026, the major phase-in dates have passed, which means regulated entities should be operating under the amended rule: stronger governance, broader multi-factor authentication, risk-based vulnerability management, asset inventories, incident response and business continuity plans, annual testing, third-party service provider oversight, encryption, annual compliance filing and fast incident reporting.
For customers, the regulation means your New York-regulated financial institution should have a formal cybersecurity program for protecting nonpublic information and restoring operations after cyber events. For business owners and compliance teams, it means documentation matters: if a control exists but cannot be shown to DFS, it may not help much during an examination or incident review.
What is the NYDFS cybersecurity regulation?
NYDFS adopted Part 500 in 2017 to establish cybersecurity requirements for financial services companies. DFS says it amended the regulation in April 2020 to change the annual certification filing date to April 15, and amended it again effective November 1, 2023 after years of incident investigations and a changed threat landscape.
The rule is designed around risk management. Covered entities must identify the cybersecurity risks facing their information systems and nonpublic information, then maintain a cybersecurity program and controls that fit those risks.
That risk-based language matters. Part 500 does not ask every covered business to run the same security stack. It does require organizations to show that their program is grounded in documented risk assessments, approved policies, trained personnel, management oversight and operational controls that work in real life.
Who must comply?
The NYDFS Resource Center says covered entities include DFS-regulated individuals and entities operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation or similar authorization under New York Banking Law, Insurance Law or Financial Services Law.
Examples can include:
- Banks, trust companies and certain foreign bank offices supervised by DFS.
- Insurance companies, producers, brokers and health-related covered entities under DFS authority.
- Mortgage bankers, mortgage brokers and certain licensed mortgage businesses.
- Money transmitters and licensed lenders.
- Virtual currency businesses licensed or chartered by DFS.
- Other financial services entities operating under DFS authorization.
The key question is not whether a company is "in cybersecurity" or physically based in New York. The key question is whether it is a covered entity under DFS authority and whether its information systems or nonpublic information fall within Part 500.
What changed after the Second Amendment?
The Second Amendment raised the regulation from a baseline cybersecurity program into a more mature governance and resilience framework. It added or strengthened requirements around senior governance, vulnerability management, asset inventory, access management, MFA, incident response, business continuity, backups, Class A company controls and reporting.
The phase-in schedule is now mostly history:
| Date | What changed |
|---|---|
| December 1, 2023 | Amended reporting requirements began taking effect |
| April 15, 2024 | Annual compliance filing date for the prior calendar year |
| April 29, 2024 | Most new amended requirements reached their 180-day compliance date |
| November 1, 2024 | Several one-year requirements, including broader MFA expectations, came due |
| May 1, 2025 | Several 18-month requirements, including governance and vulnerability management changes, came due |
| November 1, 2025 | Two-year requirements, including some Class A company controls, came due |
The practical point for 2026 is simple: organizations should not be treating the amended rule as upcoming. They should be able to show current compliance or, where they cannot, file the required acknowledgment and maintain a remediation plan.
The controls every covered entity should understand
Part 500 is broad, but the operating model can be understood through a few core controls.
Cybersecurity program and policy
Covered entities must maintain a cybersecurity program that protects information systems and nonpublic information. They also need written policies approved at least annually. The amended rule lists policy topics such as information security, data governance, asset inventory, access controls, business continuity, systems monitoring, training, application security, physical security, privacy, third-party management, risk assessment, incident response and vulnerability management.
This is where many compliance programs succeed or fail. A policy that is copied from a template but not reflected in actual systems, owners, logs, training and reports creates risk during an examination.
CISO and governance
Covered entities generally need a Chief Information Security Officer. The CISO can be internal, an affiliate employee or a third-party provider, but the covered entity remains responsible for compliance. The CISO must report in writing at least annually to the senior governing body on the cybersecurity program, material risks, material events and remediation plans.
The senior governing body must exercise cybersecurity oversight. That includes receiving reports, understanding cyber matters well enough to oversee management and confirming that sufficient resources are allocated.
Risk assessment
Part 500 requires periodic risk assessments, reviewed and updated at least annually and when business or technology changes materially alter cyber risk. The risk assessment must be documented and must support the design of the cybersecurity program.
In 2026, that means risk assessments should reflect current threats: AI-enabled phishing, vendor concentration, cloud dependencies, vishing, ransomware, exposed remote access, identity attacks, software supply chain risk and geopolitical threat activity.
MFA and access control
Multi-factor authentication is one of the most important Part 500 controls. The amended rule requires MFA for any individual accessing covered entity information systems, unless a limited exemption applies. Limited-exemption entities still need MFA for remote access, remote access to third-party applications where nonpublic information is accessible, and privileged accounts other than service accounts that prohibit interactive login.
Access controls also require limiting user privileges, periodically reviewing access, disabling or securely configuring remote-control protocols and promptly terminating access after departures. Class A companies have additional privileged access obligations.
Vulnerability management and asset inventory
The amended rule requires written vulnerability management policies and procedures. Covered entities must conduct automated scans of information systems and manual review where scans are not possible, be promptly informed of new vulnerabilities and remediate based on risk.
Asset inventory is also explicit. Organizations must maintain a complete, accurate and documented inventory of information systems, with details such as owner, location, classification or sensitivity, support expiration date and recovery time objectives where applicable.
These two controls fit together. You cannot reliably patch, segment, monitor or recover systems you do not know you have.
Incident response, business continuity and backups
Part 500 requires written incident response and business continuity and disaster recovery plans. Those plans should enable prompt response, recovery and operational resilience.
The amended rule also requires annual testing of incident response and BCDR plans with staff and management critical to the response, annual testing of the ability to restore critical data and information systems from backups, and backups protected from unauthorized alteration or destruction.
This is one of the clearest signs that DFS is focused on real-world resilience, not only prevention.
Third-party service provider risk
Third-party service provider risk is central to Part 500 because financial institutions rely heavily on cloud platforms, managed service providers, file-transfer tools, fintech vendors, AI systems, claims processors, help desks and other external providers.
Part 500 requires written policies and procedures for providers that access information systems or nonpublic information. Those policies must address identification, risk assessment, minimum cybersecurity practices, due diligence and periodic assessment.
DFS's October 21, 2025 third-party guidance adds practical detail. It says covered entities cannot delegate Part 500 responsibility to a provider, even when they outsource important operations. It also recommends stronger due diligence, contract protections, ongoing monitoring, termination controls and attention to AI use, data location, subcontractors, exit obligations, access revocation and residual access points.
What are Class A companies?
Class A companies are larger covered entities that meet specific revenue and size thresholds. Under the amended rule, a covered entity is generally a Class A company if it has at least $20 million in gross annual revenue in each of the last two fiscal years from New York business operations and either more than 2,000 employees averaged over the last two fiscal years, including affiliates, or more than $1 billion in gross annual revenue in each of the last two fiscal years from all business operations, including affiliates.
Class A companies have extra obligations, including:
- Independent audits of the cybersecurity program.
- Monitoring privileged access activity.
- A privileged access management solution.
- Automated blocking of commonly used passwords, or documented compensating controls where infeasible.
- Endpoint detection and response to monitor anomalous activity, unless approved compensating controls are used.
- Centralized logging and security event alerting, unless approved compensating controls are used.
The larger the company, the less plausible it is to defend weak visibility, unmanaged privileged access or slow vulnerability response as a resource problem.
Do small businesses get exemptions?
Yes, but limited exemptions are not complete exemptions. DFS says there are three common ways to qualify for the Section 500.19(a) limited exemption:
- The covered entity and its affiliates together have fewer than 20 employees and independent contractors.
- The covered entity has less than $7.5 million in gross annual revenue in each of the last three fiscal years, counting all business operations and affiliates' New York business operations.
- The covered entity has less than $15 million in year-end total assets, including affiliate assets.
If a full exemption applies, the covered entity must still submit a Notice of Exemption. If a limited exemption applies, the covered entity must submit a Notice of Exemption, comply with the remaining applicable sections and submit an annual notice regarding compliance.
Small businesses should be careful here. An exemption may reduce obligations, but it does not mean "no cybersecurity program" or "no DFS filing."
What must be reported to DFS?
Part 500 has three major reporting concepts that users and businesses should know.
| Trigger | Deadline | What it means |
|---|---|---|
| Cybersecurity incident | No later than 72 hours after determining that a cybersecurity incident occurred | Notify DFS electronically through the required form |
| Extortion payment | Within 24 hours of payment | Notify DFS when an extortion payment is made in connection with a cybersecurity event |
| Extortion payment explanation | Within 30 days of payment | Explain why payment was necessary, alternatives considered and diligence performed, including sanctions-related diligence |
| Annual compliance filing | April 15 each year | Submit a certification of material compliance or an acknowledgment of noncompliance for the prior calendar year |
The amended annual filing is important because it gives covered entities two options: certify material compliance or acknowledge noncompliance, identify the relevant sections, describe the nature and extent of noncompliance and provide a remediation timeline or confirmation that remediation is complete.
Why enforcement risk is real
DFS has continued to bring cybersecurity enforcement actions. On April 30, 2026, DFS announced a $2.25 million settlement with Delta Dental Insurance Company and Delta Dental of New York related to the MOVEit Transfer breach. DFS said its investigation found cybersecurity failures, inadequate incident response policies and procedures, exposure of consumer nonpublic information and failure to timely report cybersecurity events.
The lesson is not that every breach equals a penalty. The lesson is that DFS will examine whether the covered entity's program, reporting, policies, controls and response matched Part 500 expectations.
What the 2026 DFS guidance adds
NYDFS issued two notable cybersecurity items on May 21, 2026: guidance for heightened cybersecurity threat environments and an advisory on heightened risks associated with frontier AI models.
The heightened-threat guidance says it does not create new legal requirements. Instead, it gives best practices that regulated entities should consider when risk is significantly elevated, such as during geopolitical events or technology shifts that materially change cyber risk.
DFS organizes the guidance into three practical areas:
- Reduce the attack surface by hardening identity, patching, disabling unnecessary access, reviewing internet-facing systems and tightening vendor exposure.
- Improve threat detection and readiness by strengthening logging, alerting, threat intelligence, monitoring and incident response exercises.
- Strengthen resilience and response by testing backups, validating recovery, preparing communications and reviewing crisis decision-making.
The frontier AI advisory is also relevant. DFS warns that more capable AI systems may increase the speed, scale and potency of vulnerability discovery and exploitation. DFS urges regulated entities to update risk assessments, review legacy systems and ensure full compliance with Part 500.
What customers should know
Most consumers do not need to read the full regulation. But customers should understand what Part 500 is meant to protect.
If your bank, insurer, mortgage provider, money transmitter or virtual currency business is covered by NYDFS, the organization should have formal cybersecurity controls around nonpublic information, identity, vendor access, incident response and recovery. If a cyber incident affects your data, other breach-notification laws and company notices may also apply.
Customers can still reduce personal risk:
- Use strong MFA on financial accounts.
- Do not reuse bank or insurance passwords.
- Watch for fake breach notices and support calls after public incidents.
- Freeze credit or monitor accounts if sensitive identity data is exposed.
- Keep copies of official breach letters and claim numbers.
- Use only official apps, verified websites and known phone numbers.
Regulation reduces institutional risk, but it does not remove the need for personal account hygiene.
What covered entities should do this month
For a practical readiness check, covered entities should start with evidence, not slogans.
Confirm that the latest risk assessment is current and accounts for 2026 threats. Review whether the cybersecurity policy was approved at the right level and whether it matches the environment. Verify MFA coverage, including third-party apps and privileged accounts. Check whether the asset inventory can support vulnerability management and recovery planning. Validate that vulnerability remediation is risk-prioritized and documented.
Then test operational resilience. Can the organization restore critical systems from protected backups? Has the incident response plan been tested with the right executives, legal, communications, operations and IT staff? Are third-party incident notice obligations in contracts? Can the organization collect enough evidence to meet the 72-hour DFS notice obligation if a vendor incident affects its systems or nonpublic information?
Finally, prepare the annual filing process early. The April 15 deadline is predictable. Evidence collection should not start the week before it is due.
Official NYDFS media
The following official DFS videos are useful for teams refreshing internal training:
FAQ
Is NYDFS Part 500 a privacy law?
It is primarily a cybersecurity regulation, but it protects nonpublic information, including certain personal, financial, credential and health-related data held by covered entities.
Does Part 500 apply outside New York?
It can. The trigger is DFS-regulated status and covered operations, not simply where a server or employee is located. Entities should review the covered entity definition and their DFS authorizations.
Are limited-exemption entities done after filing a Notice of Exemption?
No. Limited-exemption entities must still comply with applicable sections and submit annual compliance notices. Full-exemption entities have fewer obligations, but they still need to file the exemption notice if they qualify.
What is the most common practical mistake?
Treating compliance as a static checklist. Part 500 expects risk assessments, policies, access controls, training, vendor oversight, vulnerability management and incident response to evolve with the business and threat environment.
What should a company do if it cannot certify material compliance?
The amended rule allows an acknowledgment of noncompliance. The filing should identify the sections not materially complied with, describe the nature and extent of noncompliance and include a remediation timeline or confirmation that remediation has been completed.
Sources
- NYDFS Cybersecurity Resource Center: dfs.ny.gov
- Final Second Amendment to 23 NYCRR Part 500: dfs.ny.gov
- NYDFS implementation timeline for covered entities: dfs.ny.gov
- NYDFS guidance on heightened cybersecurity threat environments, May 21, 2026: dfs.ny.gov
- NYDFS advisory on frontier AI cybersecurity risks, May 21, 2026: dfs.ny.gov
- NYDFS guidance on managing third-party service provider cybersecurity risk, October 21, 2025: dfs.ny.gov
- NYDFS Delta Dental cybersecurity settlement press release, April 30, 2026: dfs.ny.gov
- Official NYDFS MFA refresher video: youtube.com
- Official NYDFS incident response and BCDR refresher video: youtube.com
Before you move on
Defensive security explainers. Use this short checklist to turn the article into action.
- Change reused passwords on important accounts.
- Enable multi-factor authentication or passkeys where available.
- Keep a separate backup for files you cannot afford to lose.
This guide is written for practical user safety. For account, platform, or legal decisions, confirm critical steps with the official help center or your service provider.
