NYDFS Part 500

New York Department of Financial Services 23 NYCRR Part 500 is a comprehensive cybersecurity regulation applying to all NYDFS-regulated financial entities. The 2023 amendments (Part 500.2) added significant new requirements.

Scope of Part 500

23 NYCRR Part 500 is a New York Department of Financial Services regulation requiring all NYDFS-licensed entities (banks, insurance companies, money transmitters, virtual currency businesses, mortgage brokers, and others) to maintain a comprehensive cybersecurity program. It applies to thousands of entities globally that conduct regulated activity in New York; for AI vendors, it matters because customers in NYDFS-regulated sectors flow Part 500 requirements down to their vendors via third-party risk management obligations.

The 2023 amendments

The November 2023 amendments (effective in tranches through 2025) added: a CISO direct reporting line to the board, a 72-hour ransomware-payment notification, expanded incident notification, mandatory annual board-level cybersecurity training, multi-factor authentication for all systems (with limited exceptions), and a new "Class A" tier of larger covered entities subject to stricter requirements (CISO independence, automated vulnerability scanning, password vaulting, endpoint detection and response). Penalties are entity-specific but have reached eight figures for major incidents.

Vendor flow-down expectations

Part 500.11 (Third Party Service Provider Security Policy) requires covered entities to implement written policies for third-party diligence, including periodic assessment of vendor cybersecurity practices, contractual protections, and access controls. AI vendors selling into NYDFS-regulated buyers should expect detailed cybersecurity questionnaires, MFA evidence, encryption attestations, incident response procedures aligned to the 72-hour notification window, and possibly a right-to-audit clause. Many regulated buyers will not sign without these in place.