NYDFS Part 500: Meeting the Amended Cybersecurity Requirements

The New York Department of Financial Services (NYDFS) cybersecurity regulation — formally codified at 23 NYCRR Part 500 — remains one of the most consequential and prescriptive cybersecurity rules in U.S. financial services. Since it first took effect, Part 500 has shaped how banks, insurers, and licensed financial institutions structure their cybersecurity programs. With the Second Amendment adopted on November 1, 2023 and its requirements phasing in through 2025, the bar has risen considerably. This guide explains what Part 500 requires, what changed under the Second Amendment, and how NOXMON and RISKMON help Covered Entities meet the amended requirements with quantified, examiner-ready evidence.

A note on naming: this regulation is "Part 500" — 23 NYCRR Part 500. It is frequently mis-cited with other numbers, so confirm you are working against the correct citation when you build your compliance program.

Who Must Comply: Covered Entities

Part 500 applies to "Covered Entities" — any person or organization operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's banking, insurance, or financial services laws. That sweeps in a broad population: state-chartered banks, licensed lenders, insurance companies, agents and brokers, money transmitters, and a wide range of fintechs operating under New York authority.

Some smaller entities qualify for limited exemptions from specific provisions based on employee count, gross revenue, or assets, but exemptions are partial and must be filed with NYDFS. Even exempt entities must still satisfy core obligations such as maintaining a risk-based cybersecurity program, limiting access privileges, and conducting risk assessments. The safest posture is to assume the full framework applies and document any exemptions deliberately.

The Core Requirements

Part 500 establishes a risk-based cybersecurity program built on a set of concrete, auditable obligations. The core requirements include:

• Written cybersecurity program and policy. A documented program designed to protect the confidentiality, integrity, and availability of information systems, supported by board- or senior-officer-approved policies.
• Designated CISO. A qualified Chief Information Security Officer responsible for overseeing and enforcing the program, and for delivering an annual written report to the board or governing body.
• Risk assessment. A periodic, documented risk assessment that informs the design of the program and is updated as the business, technology, and threat landscape change.
• Multi-factor authentication (MFA). MFA for access to internal networks from external sources and, under the amendments, more broadly across remote access, privileged accounts, and third-party access.
• Encryption. Protection of nonpublic information both in transit and at rest, with compensating controls where encryption is infeasible.
• Access controls and identity management. Least-privilege access, periodic review of access rights, and prompt removal of access when no longer needed.
• Annual penetration testing and vulnerability assessments. Penetration testing at least annually and regular vulnerability scanning, with remediation tracked to closure.
• Incident response plan. A documented, tested plan covering roles, communications, escalation, recovery, and post-incident review.
• 72-hour incident notification. Notification to the NYDFS Superintendent within 72 hours of determining that a qualifying cybersecurity event has occurred.
• Annual certification of compliance. An annual filing — now either a certification of material compliance or an acknowledgment with a remediation plan — submitted to NYDFS.

These obligations are not one-time tasks. They form a continuous cycle of assessment, control implementation, monitoring, and reporting that examiners expect to see operating year-round.

What the Second Amendment Changed

The Second Amendment to Part 500, adopted November 1, 2023, raised expectations across governance, technical controls, and accountability, with requirements phased in through 2025. Key changes include:

• Class A Companies. The amendment created a new tier of larger Covered Entities — "Class A Companies" — defined by elevated revenue and employee thresholds. Class A Companies face heightened requirements, including independent audits of their cybersecurity program and enhanced monitoring and privileged-access management controls such as endpoint detection and response and centralized logging.
• Enhanced governance and board oversight. Senior governing bodies must exercise effective oversight of cyber risk, possess sufficient cybersecurity expertise, and ensure that management develops and maintains the program. The CISO's annual report must address material issues and remediation plans.
• Expanded MFA. MFA requirements were broadened to apply more comprehensively across remote access, privileged accounts, and third-party application access, narrowing the scope of acceptable alternatives.
• Asset inventory. Covered Entities must maintain a documented asset inventory with policies and procedures to track key information such as ownership, location, classification, support expiration, and recovery time objectives.
• Stronger incident and notification obligations. The amendment clarified notification expectations, added requirements around ransomware and extortion payments, and reinforced the 72-hour reporting timeline.
• Updated certification. The annual filing now distinguishes between certifying material compliance and acknowledging non-compliance with a remediation timeline, signed by both the CISO and a senior officer.

The practical effect is that Part 500 now demands not just controls, but demonstrable governance, continuous monitoring, and the ability to prove — with evidence — that the program is working and that risk decisions are informed.

How NOXMON and RISKMON Deliver Compliance

Meeting Part 500 is less about checking boxes and more about running a defensible, risk-based program that examiners and your own board can trust. This is where NOXMON's assessment methodology and RISKMON work together.

RISKMON is NOXMON's proprietary cyber risk quantification platform. Built on FAIR-based modeling, it expresses cyber risk in financial — dollar — terms, maps a single set of control evidence across overlapping frameworks, tracks findings and POA&M items to closure, and provides 24x7 continuous monitoring with executive and board dashboards. Applied to Part 500, that translates into three concrete capabilities:

The required risk assessment, quantified. Part 500 requires a documented risk assessment that drives the design of the program. NOXMON uses RISKMON to move beyond qualitative heat maps and quantify each risk scenario as financial exposure. That gives the CISO and board a defensible basis for prioritizing MFA expansion, encryption, monitoring investments, and remediation — exactly the kind of risk-informed decision-making the amended rule expects.

Certification evidence and examiner-ready reporting. Because RISKMON maps one evidence set across frameworks and tracks remediation to closure, the annual certification (or acknowledgment with a remediation plan) is backed by living evidence rather than a last-minute scramble. The same control evidence supports asset inventory accuracy, access reviews, penetration test remediation, and the CISO's annual board report. NOXMON itself uses RISKMON to monitor its own clients, so the reporting cadence is built for ongoing examiner scrutiny.

72-hour notification readiness. The 72-hour clock starts when a Covered Entity determines a qualifying event has occurred. NOXMON aligns the incident response plan with RISKMON's continuous monitoring and findings tracking so that detection, determination, and escalation happen fast enough to meet the deadline — with a documented trail of what was known and when.

Use Cases

NY-Licensed Insurer: From Heat Maps to Dollars

A mid-sized insurer licensed under New York insurance law had a functioning cybersecurity program but struggled to demonstrate that its risk assessment actually drove decisions. As it approached the thresholds that could classify it as a Class A Company, leadership needed defensible governance and independent assurance. NOXMON ran a Part 500 assessment, rebuilt the risk assessment in RISKMON to quantify top scenarios in financial terms, expanded MFA coverage across privileged and third-party access, and stood up an asset inventory with recovery objectives. The CISO's annual board report shifted from a list of controls to a prioritized, dollar-denominated remediation roadmap.

"For the first time, our board could see cyber risk the way they see every other risk — in dollars. The annual certification stopped being a fire drill and became a byproduct of how we run the program." — CISO, NY-licensed insurer

Fintech: Building a Program That Scales With Growth

A fast-growing fintech operating under New York authority had assembled controls piecemeal as it scaled and lacked a cohesive, examiner-ready program. With the Second Amendment's expanded MFA, asset inventory, and governance requirements phasing in, the team needed to mature quickly without slowing the business. NOXMON established a written program and policies, designated CISO responsibilities, and used RISKMON to continuously monitor controls, track POA&M items to closure, and produce the evidence needed for the annual certification. When a suspicious event occurred, the incident response plan and monitoring data let the team make a determination and prepare a 72-hour notification with a clear, time-stamped record.

"We needed a program an examiner would respect and that wouldn't slow us down. RISKMON gave us continuous evidence and a 72-hour readiness posture we could actually trust." — VP of Security, financial technology firm

Bringing It Together

Part 500 — and especially its Second Amendment — rewards organizations that treat cybersecurity as an ongoing, risk-based, well-governed program rather than an annual compliance event. The CISO requirement, expanded MFA, asset inventory, enhanced board oversight, 72-hour notification, and annual certification all point in the same direction: prove that you understand your risk, that you are managing it deliberately, and that you can document it on demand.

NOXMON's assessment methodology paired with RISKMON gives Covered Entities exactly that — a quantified risk assessment, continuous monitoring, and certification evidence that stands up to examiner scrutiny. To see how a Part 500 assessment works in practice, explore our NYDFS Part 500 Assessment and our broader work in financial services.