What Is NY DFS (23 NYCRR 500)

NY DFS — formally known as 23 NYCRR 500 — is the New York Department of Financial Services’ cybersecurity regulation for banks, insurers, and other financial services companies operating in New York State. First adopted in 2017 and significantly amended in 2023, it is one of the most detailed and prescriptive state-level cybersecurity rules in the United States.

The Short Answer

23 NYCRR 500 requires any company licensed or regulated by the New York DFS to maintain a formal cybersecurity program that protects customers’ nonpublic information (NPI) and the financial services firm’s information systems. Unlike many compliance frameworks that are voluntary or industry-driven, NY DFS is a government regulation — failure to comply can result in fines, enforcement actions, and loss of license.

The 2023 amendments significantly raised the bar, adding requirements for multi-factor authentication (MFA) on all privileged access, mandatory encryption of NPI in transit and at rest, annual board-level reporting, and stricter third-party vendor oversight.

What Is Covered by 23 NYCRR 500?

The regulation is organized around five core requirements:

1. Cybersecurity Program

Every covered entity must maintain a written cybersecurity policy approved by the board of directors (or equivalent governing body). The policy must address 14 areas including access controls, third-party vendor risk, incident response, and data retention.

2. Chief Information Security Officer (CISO)

Covered entities must designate a CISO responsible for overseeing the cybersecurity program. The CISO must report at least annually to the board on the state of the program, material cyber risks, and remediation plans.

3. Technical Controls

The 2023 amendments made specific technical controls mandatory rather than risk-based:

• MFA: Required for all remote access and all access to privileged accounts
• Encryption: Required for NPI both in transit and at rest
• Vulnerability management: Regular penetration testing (at minimum annually) and vulnerability scans (at minimum quarterly)
• Endpoint detection and response (EDR): Required for all covered systems
• Privileged access management (PAM): Controls over privileged accounts and access

4. Incident Response and Notification

Covered entities must maintain a written incident response plan and notify the DFS Superintendent within 72 hours of determining that a cybersecurity event has occurred. Certain material events must also be reported to the Governor’s Office and other agencies.

5. Annual Certification

Each year, the CISO must submit a certification of compliance to the DFS. Under the 2023 amendments, this moved from a self-certification to a more detailed attestation process. Inaccurate certifications can result in enforcement action.

Who Enforces NY DFS?

The New York Department of Financial Services enforces 23 NYCRR 500. The DFS has broad enforcement authority including the ability to issue civil monetary penalties, require corrective action plans, and revoke operating licenses for covered financial services firms.

The DFS has already taken enforcement action against multiple companies, resulting in multi-million dollar settlements. This is not a paper compliance exercise — the DFS actively examines covered entities and expects documentation, evidence, and demonstrated operational controls.

What Changed in the 2023 Amendments?

The November 2023 amendments to 23 NYCRR 500 significantly increased requirements compared to the original 2017 rule:

How Espresso Labs Helps

Espresso Labs delivers continuous NY DFS compliance as a managed service — not as a checklist or dashboard. We enforce the required technical controls automatically, monitor your environment 24/7, maintain the documentation your CISO needs for board reporting, and keep audit evidence ready at all times. For firms that need to achieve NY DFS compliance without building a large internal security team, Espresso Labs compresses both the timeline and the ongoing cost significantly.