NYDFS 23 NYCRR Part 500 Compliance Checklist for 2026

If your bank, insurer, mortgage shop, or virtual-currency business is licensed in New York, 23 NYCRR Part 500 is no longer a project you can defer. The Second Amendment is fully phased in, the annual certification is sworn by a senior officer, and the 72-hour notification clock starts the moment you determine an event occurred. This checklist maps every core obligation to its section so your team can see what "done" actually looks like.

Z Cyber is a cybersecurity operating partner. We do not hand you a tool and a login and wish you luck. For financial-services clients regulated by the New York Department of Financial Services (NYDFS), a dedicated forward-deployed Z Cyber team builds the cybersecurity program, runs it on our AI-native GRC platform, Glance, and carries the remediation work through to evidence. This guide is the same checklist we use when we onboard a Covered Entity. It is organized by the regulation's own section numbers so nothing falls between the cracks.

Who 23 NYCRR Part 500 actually covers

Part 500 applies to "Covered Entities," meaning any person or business operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. In practice that sweeps in commercial and community banks, credit unions chartered in New York, insurance companies and many licensed producers, mortgage bankers and servicers, money transmitters, and virtual-currency businesses holding a BitLicense.

The reach is broad, and it is the activity that triggers coverage, not your headquarters. A lender or insurer authorized to do business in New York is covered even if its primary operations sit elsewhere. Limited exemptions exist under Section 500.19 for smaller entities below certain employee, revenue, and asset thresholds, but exemptions are partial. Core obligations such as the risk assessment, access controls, the third-party policy, training, encryption, and the incident response and notification duties still apply, and you must file a Notice of Exemption to claim one.

The Second Amendment, in plain terms

The Second Amendment to Part 500 was adopted on November 1, 2023, and its requirements phased in across 2024 and 2025. It did not replace the original 2017 rule. It raised the bar. The headline changes that a 2026 program must reflect:

• A new class of large entities, "Class A Companies," now carries enhanced obligations including independent audits of the cybersecurity program and additional monitoring and privileged-access controls.
• Governance was sharpened. The CISO must report to the senior governing body in writing at least annually, and that body must have sufficient cybersecurity expertise to exercise oversight.
• Written policies must be approved at least annually by a senior officer or the senior governing body, and must cover a defined set of topics.
• Multi-factor authentication requirements were expanded toward MFA for all individuals accessing the entity's information systems, subject to limited approved exceptions.
• Incident response was extended to include business continuity and disaster recovery planning, plus testing of those plans.
• Notification duties grew. Beyond the 72-hour event notice, Covered Entities must notify NYDFS of certain ransomware deployments and extortion payments.

The core compliance checklist, mapped to the sections

Treat each grouping below as a control family. For every line, your program needs a written artifact, a named owner, and evidence that it operates. "We have a policy" is not the same as "the control runs and we can prove it."

Governance and program foundation

• 500.2 Cybersecurity program. Maintain a documented program designed to protect the confidentiality, integrity, and availability of your information systems, based on your risk assessment.
• 500.3 Cybersecurity policy. Maintain written policies approved at least annually by a senior officer or the senior governing body, covering the regulation's enumerated topics from asset management to incident response.
• 500.4 CISO. Designate a qualified Chief Information Security Officer. The CISO reports in writing to the senior governing body at least annually and reports promptly on material cybersecurity issues.
• 500.9 Risk assessment. Conduct and keep current a written risk assessment that drives the rest of the program. Update it to address material changes in your systems, business, or threat environment.

Access, identity, and data protection

• 500.7 Access privileges and management. Limit access to nonpublic information on a least-privilege basis, review entitlements periodically, and promptly remove access that is no longer needed. Class A Companies face heightened privileged-access controls.
• 500.12 Multi-factor authentication. Implement MFA for individuals accessing your information systems, with any exceptions approved in writing by the CISO and offset by reasonably equivalent controls.
• 500.15 Encryption of nonpublic information. Encrypt nonpublic information in transit and at rest, or apply CISO-approved compensating controls where encryption is infeasible.
• 500.13 Asset management and data retention. Maintain an accurate asset inventory and a documented data-disposal practice so nonpublic information is not retained beyond business or legal need.

Detection, testing, and monitoring

• 500.5 Penetration testing and vulnerability assessments. Conduct annual penetration testing and ongoing vulnerability assessments, informed by the risk assessment, and remediate findings.
• 500.6 Audit trail. Maintain systems that produce audit trails to detect and respond to cybersecurity events, with retention sufficient to support investigations.
• 500.14 Training and monitoring. Provide regular cybersecurity awareness training, including social-engineering and phishing exposure, and implement monitoring and risk-based controls such as malicious-code protection and, where applicable, controls to detect unauthorized activity.

Third parties, response, and resilience

• 500.11 Third-party service provider security policy. Maintain written policies governing the security of third parties that access your information systems or nonpublic information, including due diligence and contractual security requirements.
• 500.16 Incident response and business continuity. Maintain a written incident response plan and a business continuity and disaster recovery plan, and test both.

Notification and certification

• 500.17(a) 72-hour event notification. Notify the Superintendent as promptly as possible, and within 72 hours at the latest, after determining that a covered cybersecurity event has occurred. Separate notice obligations apply to ransomware deployment in a material part of your systems and to extortion payments.
• 500.17(b) Annual certification. File an annual notification with NYDFS, either certifying material compliance or acknowledging noncompliance with a remediation timeline and documentation of the gaps.
• 500.10 Cybersecurity personnel and intelligence. Use qualified personnel, internal or through a provider, to manage cybersecurity risks and stay current on threats.

Summary table: requirement, section, and what it means

Requirement	Section	What it means
Cybersecurity program	500.2	A documented, risk-based program protecting your systems and data.
Written policy	500.3	Policies approved at least annually by a senior officer or the board.
Designated CISO	500.4	A qualified CISO who reports to the governing body at least annually.
Penetration testing and vulnerability scans	500.5	Annual pen tests plus ongoing vulnerability assessment and remediation.
Audit trail	500.6	Logging that supports detection of and response to events.
Access privileges	500.7	Least-privilege access, periodically reviewed and promptly revoked.
Risk assessment	500.9	A current written assessment driving the whole program.
Third-party security policy	500.11	Vendor due diligence and contractual security requirements.
Multi-factor authentication	500.12	MFA for access, with limited CISO-approved exceptions.
Training and monitoring	500.14	Regular awareness training plus monitoring and risk-based controls.
Encryption	500.15	Nonpublic information encrypted in transit and at rest.
Incident response and continuity	500.16	Tested IR, business continuity, and disaster recovery plans.
72-hour notification	500.17(a)	Notify the Superintendent within 72 hours of determining an event occurred.
Annual certification	500.17(b)	Certify material compliance or file an acknowledgment with a remediation plan.

What Class A Companies must do differently

Class A Companies are the largest Covered Entities, identified by size thresholds based on employee count and gross annual revenue tied to New York operations and affiliates. If you cross those thresholds, the program is not just bigger, it is audited. Class A obligations include independent audits of the cybersecurity program based on its risk assessment, and enhanced controls. The expectations point toward stronger privileged-access management and toward monitoring such as an endpoint detection and response capability and centralized logging, with limited CISO-approved exceptions where a control is genuinely infeasible.

If you are near a threshold, scope this early. The difference between a standard program and a Class A program is the difference between an internal review and a defensible independent audit, and you do not want to discover the gap during certification season.

The 72-hour clock and the certification trap

Two obligations cause the most pain in practice. The first is 500.17(a). The 72-hour clock does not start when an attacker gets in. It starts when you determine that a covered cybersecurity event has occurred, which makes your detection and triage discipline a compliance control, not just a security one. Events that trigger notice include those requiring notification to another government or regulatory body and those with a reasonable likelihood of materially harming a material part of your operations. Ransomware deployment and extortion payments carry their own notice duties on top.

The second is 500.17(b), the annual certification. A senior officer or the senior governing body signs it. Certifying material compliance when controls are not actually operating is the kind of misstatement that turns a routine filing into an enforcement exposure. NYDFS can bring enforcement actions and impose penalties for violations of Part 500, and the certification is sworn, so the honest path when you have gaps is the acknowledgment of noncompliance with a documented remediation timeline. That is not a failure. It is the regulation working as designed.

How Z Cyber operates your Part 500 program

Most NYDFS gaps are not a missing firewall. They are missing evidence, stale policies, an access review that nobody ran, a vendor inventory that does not match reality, and a certification due in weeks. Z Cyber closes that gap by operating the program, not auditing it once and leaving. A dedicated team maps your obligations to the sections above, builds the risk assessment that drives everything else, stands up MFA, encryption, logging, and access reviews, and runs them on Glance, where every control links to current evidence and the certification package assembles continuously rather than in a last-minute scramble.

Because the same forward-deployed model serves regulated industrials, insurers, and lenders, the framework also maps cleanly to adjacent obligations your auditors and partners will ask about. If your environment touches federal financial-privacy rules, our GLBA Safeguards Rule guide covers that overlap. If you process cardholder data, see the PCI DSS v4 scope and requirements guide. And if a customer or investor wants independent assurance, our SOC 2 compliance guide shows how the same control evidence supports that report. See our financial services practice for how the operating-partner model works end to end, or read the regulation directly at dfs.ny.gov.

Part 500 is not a one-time hurdle. It is an annual cycle with a sworn signature at the end of it. The Covered Entities that handle it calmly are the ones that treat it as a running program with a clear owner, not a binder pulled off the shelf each spring. Talk to a Z Cyber advisor and we will turn this checklist into a program your senior officer can certify with confidence.