NYDFSPart500Cybersecurity:WhatChangedinthe2023Amendments

23 NYCRR Part 500, better known as NY DFS Part 500, has been the most prescriptive state cybersecurity regulation in the United States since its original 2017 release. The 2023 amendments, which phased in across 2024 and 2025, tightened it substantially — more specific technical controls, a new Class A tier for larger firms, expanded incident reporting obligations, and explicit board-level accountability. For financial services firms operating in New York, Part 500 now sits alongside the SEC and FINRA frameworks as a core regulatory input to the IT program.

The rule covers any Covered Entity operating under a DFS license. For the financial services audience, that typically means NY-licensed insurance agencies and brokers, certain banking institutions, licensed lenders, and virtual currency firms. DFS-registered investment advisers also fall under the rule. If your firm holds any New York financial license, Part 500 applies to you.

The Class A Entity Tier

The most structurally significant change in 2023 was the creation of the Class A Entity classification. A Class A Entity is a Covered Entity with gross annual revenue of $20 million or more AND either more than 2,000 employees or more than $1 billion in gross annual revenue averaged over three years. Class A Entities face additional requirements on top of the baseline rule — independent auditor review of the cybersecurity program, a dedicated CISO with specific qualifications, privileged access management tooling, endpoint detection and response, and stricter password controls.

Most financial services firms we work with fall below the Class A threshold, but the controls required of Class A Entities are being adopted voluntarily by smaller firms as a signal of maturity. Underwriters and institutional clients are starting to ask whether a firm has Class A-equivalent controls, particularly endpoint detection and response and privileged access management. Even where it is not strictly required, building to the Class A bar is increasingly a competitive advantage.

Incident Reporting: The 72-Hour and 24-Hour Clocks

Part 500 always had a 72-hour incident notification requirement. The 2023 amendments sharpened it. A Covered Entity must notify DFS within 72 hours of determining that a Cybersecurity Event has occurred that either triggers notice to any government body, self-regulatory agency, or supervisory body, OR has a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

The "material harm" branch is where firms most often stumble. It is a fact-specific determination, and the 72-hour clock starts from when the firm becomes aware — not when it completes its investigation. In practice, this means the firm's incident response process has to produce a fast preliminary assessment of materiality, and the decision tree has to route up to senior management quickly.

The 2023 amendments added a new 24-hour notification obligation for extortion payments. If the Covered Entity pays a ransom, it must notify DFS within 24 hours of the payment and file a detailed written statement within 30 days explaining the circumstances. Combined with OFAC sanctions exposure on ransomware payments, this creates substantial pressure to have a pre-negotiated relationship with external counsel and an incident response firm capable of handling ransom negotiations.

Governance and Board Accountability

The 2023 amendments made cybersecurity a board-level accountability explicit. The Covered Entity's senior governing body must approve the cybersecurity policy, receive regular reporting on the cybersecurity program, and oversee the CISO. For firms without a traditional board — partnerships, LLCs with member structures — the equivalent senior governing body performs the same role.

The annual written certification that Covered Entities file with DFS now has to come from the senior governing body or an equivalent senior officer — not a line executive delegated by the business. The certification is a material regulatory filing. Inaccurate certifications carry significant personal liability for the signer.

The CISO role was also strengthened. Every Covered Entity must have a CISO or equivalent — either an employee or a qualified third-party — who reports to the senior governing body at least annually on the state of the cybersecurity program. Class A Entities face additional qualification requirements for the CISO.

Technical Controls: The New Baseline

The technical control requirements in the 2023 amendments track closely with the cyber-insurance baseline and the FINRA Notice 22-29 expectations. Multi-factor authentication is required for every remote access to the network, every privileged account, and every access to nonpublic information. Stronger encryption requirements apply to nonpublic information both at rest and in transit. Asset inventory and data classification are explicit obligations, not implicit best practices.

Vulnerability management has to include continuous monitoring or equivalent regular scanning, with documented remediation of high-severity findings. Penetration testing at least annually is required for most Covered Entities, and for Class A Entities the requirement increases in scope and independence.

The 2023 amendments also specifically address password management. Covered Entities must have a password policy that aligns with industry standards, and Class A Entities must deploy a password management solution for all employees.

Data Minimization and Disposition

One often-overlooked piece of the 2023 amendments is the strengthened data disposition obligation. Covered Entities must have policies for secure disposal of nonpublic information that is no longer necessary for business operations or required by legal or regulatory obligation. The policy has to be implemented, not just written, and the disposition has to be verifiable.

This creates a practical data hygiene problem for many firms. Legacy file shares, old email archives beyond the retention requirement, decommissioned systems with residual data, and backup copies all have to be inventoried and dispositioned on a schedule. The compliant approach treats data disposition as a recurring operational discipline, not a one-time cleanup.

Third-Party Service Providers

Part 500's third-party service provider requirements were already strong. The 2023 amendments reinforced them. Covered Entities must have a written policy for third-party service provider cybersecurity, including minimum security requirements, due diligence procedures, and contractual obligations. The policy must be based on a risk assessment of the services provided.

The practical implication is that a firm's vendor management program needs to tier its vendors by risk, apply deeper scrutiny to vendors handling nonpublic information, maintain documented due diligence for each tier, and enforce contractual security requirements. The SOC 2 Type II review cadence for high-risk vendors is a defensible baseline that most examinations accept.

Preparing for a DFS Examination

DFS conducts cybersecurity examinations as part of its broader supervisory program. The exams look at the certification, the cybersecurity policy, the risk assessment, the CISO reporting to the governing body, technical controls implementation, vendor management, incident response, and training. Examiners increasingly ask for specific evidence samples rather than accepting policy documents at face value.

Firms that operate in New York should treat Part 500 readiness as continuous rather than event-driven. The control evidence library, the governance minutes showing CISO reporting, the incident response exercise records, and the vendor risk assessments should all be maintained on a rolling basis. Scrambling to assemble the file when an exam notice lands creates avoidable exposure.

Our financial services practice and our New York presence together support firms through the full Part 500 lifecycle — from gap assessment through remediation through examination support. If your firm is operating in New York and assessing readiness against the 2023 amendments, schedule a consultation to walk through the current state of your program.