What Is NYDFS 23 NYCRR 500? A Guide to New York's Cybersecurity Rule

If your business holds a license from New York's financial regulator, you are almost certainly a Covered Entity under NYDFS 23 NYCRR Part 500. This guide explains what the rule is, who it binds, what it actually requires, and how Z Cyber runs the program end to end on Glance so your team can certify with confidence instead of scrambling each spring.

What NYDFS 23 NYCRR 500 actually is

NYDFS 23 NYCRR Part 500 is the cybersecurity regulation issued by the New York State Department of Financial Services. It first took effect in 2017 and was one of the earliest prescriptive, mandatory cybersecurity rules for the financial sector in the United States. Rather than asking firms to be "reasonable" and leaving the rest to interpretation, Part 500 sets specific obligations: written programs, named accountability, technical controls, and hard reporting deadlines.

The regulation was significantly strengthened by a Second Amendment that NYDFS adopted in November 2023, with new and expanded requirements phasing in across 2024 and 2025. The amendment raised the bar on governance, multifactor authentication, asset management, and incident reporting, and it formalized a tier of larger firms with heightened obligations. If your last serious read of Part 500 was before 2024, your mental model of the rule is out of date.

Z Cyber is the operating partner that runs your Part 500 program. We do not hand you a checklist and walk away. A dedicated, forward-deployed security team implements the controls, operates the program throughout the year, and prepares the certification, all on Glance, our AI-native GRC platform. The regulation is the obligation. We are the team that carries it.

Who must comply: the definition of a Covered Entity

Part 500 applies to "Covered Entities," and the definition is deliberately broad. A Covered Entity is any individual or non-governmental entity operating under, or required to operate under, a NYDFS license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law.

In practice, that pulls in a wide range of financial services businesses, including the following.

Type of business	Why it is typically covered
Banks and trust companies	Chartered or licensed under New York Banking Law
Insurance companies and producers	Licensed under New York Insurance Law
Mortgage lenders and servicers	Licensed to originate or service residential loans in New York
Money transmitters	Licensed to transmit money under New York law
Virtual currency businesses	Operating under a BitLicense or limited purpose trust charter

The test is not your size or your industry label. It is whether you hold, or are required to hold, a NYDFS authorization. If you do, you owe the core obligations of Part 500 even if you qualify for one of the limited exemptions discussed below.

The core requirements of Part 500

Part 500 is built around a written cybersecurity program backed by specific technical and governance controls. The program must be based on a periodic risk assessment, and the controls must be designed to protect the confidentiality, integrity, and availability of your information systems and nonpublic information. The headline obligations include the following.

• A written cybersecurity program and policy. Documented, approved by senior leadership, and reviewed on a recurring basis.
• A periodic risk assessment. The risk assessment is the foundation. It drives which controls you implement and how rigorously you operate them.
• A designated CISO. A qualified individual responsible for the program who reports to the board or equivalent governing body on cybersecurity posture.
• Multifactor authentication. Section 500.12 requires MFA for access to your information systems, with the Second Amendment broadening where it must be applied.
• Access controls. Limiting and reviewing privileges, including privileged access, on the principle of least privilege.
• Penetration testing and vulnerability assessments. Regular testing to find and remediate weaknesses before attackers do.
• Encryption. Protecting nonpublic information in transit and at rest.
• An incident response plan. A documented, tested plan covering detection, response, recovery, and communications.
• Training and awareness. Security awareness for personnel, updated to reflect current risks.
• A third-party service provider security policy. Section 500.11 requires policies and procedures for the security of information systems and nonpublic information accessible to, or held by, your vendors.
• Annual certification or acknowledgment of compliance. Each year you file with the Superintendent, either certifying material compliance or acknowledging the areas where you are not yet compliant along with a remediation plan.

These obligations are not one-time projects. They form a continuous program that must be operated, evidenced, and refreshed throughout the year. That operating burden is exactly what Z Cyber takes off your plate. Glance maps each control to its Part 500 citation, tracks the evidence, and surfaces what is drifting before it becomes a certification problem.

The 72-hour notification rule

Section 500.17 sets one of the most consequential deadlines in the regulation. A Covered Entity must notify the Superintendent of certain cybersecurity events as promptly as possible, and no later than 72 hours after determining that a reportable event has occurred. The clock starts at the determination, not at first detection, which makes your triage and decision process a compliance control in its own right.

The notification obligation covers cybersecurity events that meet defined thresholds, including events that have a reasonable likelihood of materially harming a material part of normal operations, events that require notice to another government body or self-regulatory agency, and ransomware deployment within a material part of your information systems. Separately, the rules require reporting of extortion and ransomware payments, with documentation explaining the reasons a payment was made.

Seventy-two hours is not long. Without a rehearsed process, the deadline arrives in the middle of an active incident when your team is already stretched. Z Cyber runs this as a defined runbook, so the determination, the drafting, and the filing happen on a schedule you have practiced rather than one you are inventing under pressure. Our NYDFS 500 72-hour notification runbook walks through the exact sequence step by step.

Class A Companies and heightened requirements

The Second Amendment introduced a category called "Class A Companies," the largest Covered Entities measured by employee count and gross annual revenue. These firms carry enhanced obligations on top of the baseline program. Among other things, Class A Companies are expected to conduct independent audits of their cybersecurity program based on their risk assessment, and to deploy more advanced technical controls such as endpoint detection and response and capabilities to monitor privileged access activity.

If you are near the thresholds, you should determine your status deliberately rather than assume you fall below them. Misjudging Class A status means building the wrong program. Z Cyber assesses where you sit, scopes the right tier of controls, and operates them so that an independent audit finds a program already running, not a binder assembled the week before.

Exemptions for smaller companies

Part 500 provides limited exemptions, and they are frequently misunderstood. Smaller Covered Entities, for example those below certain thresholds for employees, gross annual revenue, or year-end total assets, may qualify for a limited exemption from some of the more resource-intensive requirements such as penetration testing, a dedicated CISO, and certain other controls.

The critical point is that a limited exemption is not a free pass. Exempt entities still owe the core obligations, including a risk-based cybersecurity program, a written policy, access controls, MFA, training, an incident response plan, the third-party service provider policy, limitations on data retention, and the annual filing. Entities claiming an exemption must also file a Notice of Exemption with the Superintendent, and they lose the exemption if they later exceed the thresholds.

Many firms either over-claim exemptions they do not qualify for or under-claim and overspend on controls they do not need. Getting the determination right is a planning exercise worth doing carefully. Our NYDFS 500 compliance checklist for 2026 lays out the obligations by entity type so you can see exactly where you land.

How Z Cyber runs your Part 500 program

Reading the regulation is the easy part. The hard part is operating a living program: keeping the risk assessment current, evidencing MFA and access reviews, running penetration tests and tracking remediation, managing vendor security, rehearsing the 72-hour process, and producing a certification your CISO can sign without hedging. Most lean financial firms do not have the headcount to do all of that well, every year, while also running the business.

That is the gap Z Cyber fills as your cybersecurity operating partner. A dedicated team implements the Part 500 controls on Glance, operates the program through the year, and owns the evidence and reporting workflows. Glance ties every control to its specific Part 500 citation, monitors control health continuously, and assembles the certification package from live evidence rather than a last-minute document hunt. When something drifts, you and your advisor see it early enough to fix it.

The result is a program you can certify with confidence and defend under examination, run by a team that does this every day. If Part 500 is on your plate, the most efficient next step is a conversation about your current state and your filing timeline.

Talk to a Z Cyber advisor to scope your NYDFS 500 program, or start with the 2026 compliance checklist to see where you stand today.