What is NYDFS 23 NYCRR 500?
A New York DFS regulation requiring financial-services companies to run a risk-based cybersecurity program, appoint a CISO and report incidents.
Definition
23 NYCRR Part 500 is a cybersecurity regulation issued by the New York State Department of Financial Services (NYDFS). It requires “covered entities” — banks, insurers and other financial-services companies licensed in New York — to establish and maintain a risk-based cybersecurity program that protects the confidentiality, integrity and availability of information systems.
Amended in 2023 (with phased effective dates), the rule adds stronger governance, MFA and incident-notification requirements, including reporting certain cybersecurity events to NYDFS within 72 hours.
Key requirements
Cybersecurity program & policy
Risk-based and board-approved.
CISO
Designate a qualified Chief Information Security Officer.
Risk assessments
Periodic, documented risk assessments.
MFA & encryption
Protect access and nonpublic information.
Incident notification
Report qualifying events to NYDFS within 72 hours.
Third-party security
Policies governing service-provider risk.
Who needs to comply?
Any entity operating under a NYDFS license or registration — banks, insurers, mortgage companies and other financial-services firms in New York — is a covered entity, subject to limited exemptions for smaller firms.
How ISpectra helps
ISpectra builds your 23 NYCRR 500 program end to end — cybersecurity policy, CISO support, risk assessments, MFA/encryption controls and 72-hour incident reporting — with the evidence NYDFS expects.
Talk to an advisor