23 NYCRR Part 500 compliance guide for the NYDFS cybersecurity regulation

Key takeaways

• NYDFS Part 500 requires continuous cybersecurity governance, monitoring, and testing
• The Second Amendment (2023) expanded requirements with phased deadlines through 2025
• Covered entities must demonstrate operational security controls, not just written policies
• Penetration testing, vulnerability management, and secure development procedures are explicit regulatory requirements
• Accurate vulnerability validation improves remediation prioritization and audit confidence
• Continuous application security testing and posture visibility help organizations maintain evidence for certification and audits

Note that this article is intended to provide a convenient starting point for compliance but does not constitute legal advice – always refer to the official regulation text for binding guidance.

What is the NYDFS Cybersecurity Regulation (23 NYCRR Part 500)?

23 NYCRR Part 500 is a New York Department of Financial Services regulation that requires covered entities to establish, maintain, and certify a comprehensive cybersecurity program.

Introduced in 2017, the regulation was significantly expanded through the Second Amendment to Part 500, which took effect on November 1, 2023. The amendment introduced additional cybersecurity controls, governance obligations, and reporting requirements, with a phased rollout of new provisions extending through November 2025.

NYDFS has direct enforcement authority over covered entities, making cybersecurity a regulatory obligation rather than an internal best practice.

Who must comply with NYDFS Part 500?

Any organization operating under NYDFS oversight, including financial institutions and certain technology providers, must comply unless a limited exemption applies.

Covered entities include banks, insurance companies, mortgage lenders, money transmitters, virtual currency businesses, and non-U.S. institutions licensed to operate in New York. The scope is often misunderstood because some organizations assume the rule applies only to traditional financial institutions.

Limited exemptions exist for smaller entities, but they do not remove all obligations. Even exempt organizations must maintain a cybersecurity program, perform risk assessments, implement security policies, manage access controls, and comply with reporting and certification requirements.

The Second Amendment also introduced a new category of Class A companies, generally covering larger covered entities with significant revenue and employee counts. These organizations must meet additional requirements, including independent cybersecurity audits, enhanced monitoring capabilities such as endpoint detection and response, and centralized logging across systems.

When do organizations need to comply with 23 NYCRR Part 500?

Most Part 500 requirements are already in force, with ongoing annual certification and continuous compliance obligations.

The Second Amendment took effect on November 1, 2023, but many new requirements were implemented through phased deadlines extending through November 2025. These include expanded governance obligations, stronger monitoring requirements, and additional controls related to access management and asset visibility.

Covered entities must also submit annual certification or acknowledgment filings to NYDFS confirming that their cybersecurity program materially complies with Part 500. Under the amended regulation, this certification must be signed by the organization’s CEO and CISO (or equivalent security leader) and must be supported by documentation and data demonstrating that required controls are operating effectively.

Delayed remediation can therefore become a regulatory issue. Security gaps identified during testing or risk assessments become part of the compliance record, affecting both certification confidence and potential enforcement exposure.

Why is NYDFS Part 500 compliance difficult for organizations?

Part 500 requires continuous cybersecurity controls rather than one-time audits or policy documentation.

Many organizations can produce security policies, but demonstrating operational effectiveness across applications, APIs, infrastructure, and vendors is far more complex. Compliance gaps frequently appear when written policies do not reflect actual security operations.

Common challenges include:

• Continuous monitoring expectations exceeding traditional audit cycles
• Vulnerability management programs generating large volumes of low-quality findings
• Security evidence scattered across multiple tools and reports
• Weak remediation tracking and ownership
• Difficulty demonstrating operational controls during audits

Part 500 therefore pushes organizations toward continuous security operations rather than periodic compliance exercises.

What are the core cybersecurity requirements of 23 NYCRR Part 500?

NYDFS Part 500 mandates risk-based security controls, continuous monitoring, and formal accountability.

Covered entities must maintain a cybersecurity program supported by written policies, governance oversight, and documented risk assessment processes. The regulation also requires security testing, incident response planning, access controls, vendor risk management, and regular reporting to senior leadership.

Key NYDFS Part 500 requirements include:

• Cybersecurity program and written policies
• Risk assessment and risk-based control selection
• Penetration testing and vulnerability assessments
• Incident response and reporting procedures
• Access controls, monitoring, and logging
• Third-party service provider security
• Documentation and annual certification

The amended regulation also strengthens access control requirements, including the expanded use of multi-factor authentication (MFA). By November 2025, MFA will be required for any user accessing any information system unless a formally documented exception is approved and protected through compensating controls. NYDFS has repeatedly emphasized MFA failures as a major driver of cybersecurity incidents and enforcement actions.

Because these requirements span governance, operations, and technology, effective compliance typically requires coordination across security, compliance, engineering, and leadership teams.

23 NYCRR Part 500 compliance guide: Practical requirements

Turning the regulation into operational control areas helps organizations move beyond checklist compliance and focus on how security activities are implemented and evidenced in practice.

Governance, policies, and accountability

Part 500 requires formal cybersecurity governance with clear accountability. Covered entities must designate a CISO or equivalent security leader responsible for overseeing the cybersecurity program. Written cybersecurity policies must be approved annually by the governing body, and leadership must receive regular reporting on cybersecurity risks and program performance.

The Second Amendment strengthened executive accountability by requiring annual compliance certification from senior leadership supported by verifiable evidence.

Risk assessment and security posture management

Part 500 uses a risk-based framework, so compliance depends on an organization’s ability to identify and reassess risk as systems and business priorities change.

Effective risk assessment requires visibility into applications, APIs, and infrastructure, along with insight into vulnerabilities and business impact. Security posture management helps connect these elements, giving teams a clearer view of where critical assets exist, where vulnerabilities are concentrated, and how remediation aligns with risk priorities.

Beginning in November 2025, covered entities must also maintain written procedures for asset inventory management, tracking key attributes such as asset owner, location, classification, support lifecycle, and recovery objectives.

Application and vulnerability security testing

The regulation requires both penetration testing and vulnerability assessments, making security testing a core operational requirement.

Penetration tests must now be conducted from both inside and outside the organization’s information system boundaries, reflecting the expanded expectations introduced in the Second Amendment.

Annual testing cycles rarely match the pace of modern application development. New releases, API changes, configuration updates, and third-party dependencies can introduce risk between formal tests. Continuous vulnerability identification helps teams detect exploitable issues earlier and maintain a consistent evidence trail for remediation activity.

Secure development and change management

Part 500 requires organizations to maintain written procedures, guidelines, and standards for secure application development, including the testing of externally developed applications. These controls must be reviewed periodically by the CISO to ensure they remain aligned with the organization’s risk profile.

Integrating security testing into development workflows helps organizations detect issues earlier and document remediation activity. In regulated environments, teams must demonstrate when vulnerabilities were discovered, how they were prioritized, and how remediation decisions were handled.

Monitoring, detection, and incident response

Covered entities must maintain monitoring capabilities to detect cybersecurity events and respond effectively. Incident response plans must be documented and supported by operational detection processes.

The amended regulation also expanded business continuity and disaster recovery (BCDR) expectations, requiring organizations to maintain and test their ability to restore systems and data following disruptive events.

For qualifying incidents, NYDFS reporting obligations can begin within 72 hours of determining that an event occurred. Additional rules introduced in the Second Amendment require covered entities to notify regulators within 24 hours of making an extortion payment and to submit a follow-up report within 30 days explaining the circumstances and remediation steps.

Third-party and supply chain security

Part 500 requires organizations to manage risk introduced by vendors and service providers. Covered entities must maintain policies and oversight processes for third-party relationships that affect security posture.

Modern organizations often rely heavily on external platforms, APIs, and service providers, which can expand the attack surface. Effective vendor oversight requires visibility into which third parties interact with critical systems and how those relationships affect risk exposure.

Documentation, evidence, and audit readiness

Part 500 compliance ultimately depends on demonstrable evidence. Organizations must document their cybersecurity program, maintain records of testing and remediation, and support annual certification filings.

Useful evidence includes vulnerability findings, validation results, remediation records, ticket history, and risk acceptance documentation. When evidence is fragmented across multiple tools and teams, audit preparation becomes significantly more difficult.

How does application security testing support NYDFS Part 500 compliance?

NYDFS Part 500 explicitly requires penetration testing and vulnerability assessments, making application security testing a key component of compliance.

While application security tools alone cannot satisfy the entire regulation, they play a central role in demonstrating operational security controls. Continuous testing helps organizations identify vulnerabilities sooner, validate findings, and maintain a consistent record of remediation activity.

Accuracy also matters for compliance reporting. Large volumes of unverified findings can overwhelm remediation teams and complicate audit reporting. Validated results provide clearer risk signals and stronger evidence for compliance documentation.

How Invicti supports 23 NYCRR Part 500 compliance

Invicti’s Application Security Platform enables continuous, validated vulnerability management and posture-level visibility aligned with NYDFS requirements. 

The platform supports key operational aspects of compliance – especially continuous DAST-based testing, vulnerability validation, risk prioritization, and evidence generation across applications and APIs.

Proof-based vulnerability detection

False positives create operational overhead and weaken compliance reporting. Invicti’s proof-based scanning confirms exploitable vulnerabilities so teams can focus remediation efforts on validated issues.

Validated findings also provide stronger evidence during audits and compliance reviews.

Continuous application and API security testing

Invicti enables ongoing security testing and discovery across web applications and APIs, extending coverage beyond periodic assessments or annual penetration tests.

Continuous testing helps organizations identify vulnerabilities earlier and maintain visibility across rapidly changing application environments.

ASPM for NYDFS reporting and certification

Application security posture management provides centralized visibility into application risk, vulnerabilities, and remediation status.

For Part 500 programs, ASPM improves reporting and evidence generation by connecting assets, exposures, and remediation activity in one platform.

What mistakes cause organizations to fail NYDFS Part 500 audits?

NYDFS enforcement actions increasingly focus on operational security failures rather than documentation gaps. Past cases illustrate how gaps in access control, monitoring, and development practices can lead to significant penalties:

• Robinhood: $30 million penalty (2022) for cybersecurity and compliance failures
• OneMain Financial: $4.25 million penalty (2023), including issues related to secure coding training and vulnerability management
• PayPal: $2 million penalty (2022) tied to multi-factor authentication and access control weaknesses

Organizations typically fail audits when documentation exists but operational controls are inconsistent. Common issues include:

• Treating Part 500 as a periodic assessment instead of a continuous program
• Relying on manual or fragmented testing processes
• Generating large volumes of unvalidated vulnerability findings
• Lacking clear ownership for remediation and reporting
• Failing to maintain reliable testing and remediation evidence
• Misinterpreting exemption status

How should organizations start preparing for NYDFS Part 500 compliance?

Preparation begins with understanding scope and aligning security operations with regulatory requirements. A practical approach includes:

• Identifying covered entities, systems, and applications
• Determining whether any exemptions apply
• Assessing current cybersecurity control maturity
• Implementing continuous vulnerability identification and validation
• Improving security posture visibility across applications and APIs
• Establishing remediation ownership and reporting workflows
• Aligning AppSec, GRC, and engineering teams around evidence requirements

Organizations that focus on operational controls and evidence generation typically find certification and audits far easier to manage.

Final thoughts: Building an NYDFS Part 500 program that works in practice

NYDFS Part 500 compliance is an operational requirement rather than an annual audit exercise. Organizations that succeed treat the regulation as a continuous security program supported by reliable testing, clear governance, and consistent evidence.

Continuous application security testing and posture visibility help regulated organizations detect vulnerabilities earlier, prioritize remediation effectively, and maintain the documentation required for certification and regulatory review.

Learn how Invicti helps financial services organizations support 23 NYCRR Part 500 compliance through continuous, proof-based application security testing and ASPM-driven visibility. Request a demo to see the Invicti Platform in action.

Actionable insights for security leaders

• Treat NYDFS Part 500 as a continuous cybersecurity program, not a periodic compliance exercise.
• Move beyond annual penetration tests by implementing ongoing vulnerability identification across applications and APIs.
• Prioritize remediation using validated vulnerabilities and real exploitability, not raw scanner output.
• Maintain centralized visibility into application security posture to support risk prioritization and regulatory reporting.
• Align AppSec, GRC, and engineering teams early so remediation ownership, evidence collection, and certification support are clearly defined.
• Build audit-ready evidence trails by documenting testing activity, validation results, remediation actions, and risk decisions.

‍