What is 23 NYCRR Part 500? NYDFS Cybersecurity Requirements Explained

Compliance with 23 NYCRR Part 500, the NYDFS cybersecurity regulation, holds new weight for financial firms in New York. A June 2025 NYDFS letter on global cyber threats states:

Focus falls on vendor risk management, multi-factor authentication, and breach readiness. New 23 NYCRR Part 500 amendments add responsibilities for Class A Companies NYDFS.

This article explains what 23 NYCRR Part 500 means, highlights key compliance requirements, NYDFS breach notification rules, and 23 NYCRR exemptions, and shows how Isora GRC helps teams stay audit-ready with less friction.

Let’s get started!

What is 23 NYCRR Part 500?

In short: 23 NYCRR Part 500 is a New York regulation requiring financial institutions to implement cybersecurity programs, assess risk, and report breaches. It applies to all NYDFS-regulated entities.

To be more specific: 23 NYCRR Part 500 is a New York regulation requiring financial institutions to implement cybersecurity programs, conduct risk assessments, and report incidents. It applies to NYDFS-regulated entities like banks, insurers, and mortgage companies, mandating controls such as encryption, MFA, and vendor risk management.

The NYDFS cybersecurity regulation outlines who must comply, what controls must exist, how oversight works, and when to report incidents. Updates from recent 23 NYCRR Part 500 amendments raised the bar even further, especially for Class A Companies, which NYDFS defines as larger, more connected organizations with greater systemic impact. These entities now face enhanced expectations for vendor risk management, privileged access reviews, and continuous monitoring.

By setting these expectations, NYDFS aims to reduce exposure to ransomware, data theft, and service outages. Covered entities that fall short risk fines, audits, or reputational harm. To avoid those outcomes, many rely on tools like Isora GRC to manage evidence, enforce workflows, and simplify reporting under complex Part 500 compliance requirements.

History and Amendments of 23 NYCRR Part 500

NYDFS introduced 23 NYCRR Part 500 in March 2017 to strengthen cybersecurity across New York’s financial sector. It has since evolved through key amendments to address emerging threats.

Initial Rollout (2017–2019)

The first phase followed a stepped timeline: 180 days, 12 months, 18 months, and two years. Each stage introduced new security requirements. These included:

• Written cybersecurity policies
• A named Chief Information Security Officer (CISO)
• Multi-factor authentication (MFA)
• Data encryption
• Vendor risk management NYDFS controls

By March 1, 2019, all original requirements reached full enforcement.

First Amendment (2020)

In April 2020, NYDFS moved the annual certification deadline from February 15 to April 15. This gave leadership teams more time to complete reviews before submitting documents.

Second Amendment (2023–2025)

A major update began in late 2023, responding to stronger threats and technology gaps. These 23 NYCRR Part 500 amendments expanded both scope and depth. Key changes include:

• Class A Companies NYDFS: Large organizations now follow stronger governance and technical rules.
• NYDFS breach notification rules: Incidents must be reported within 72 hours. Ransomware payments within 24 hours.
• Executive oversight: Cyber programs need signoff from senior leaders and board members.
• Technical upgrades: Asset inventories, vulnerability scans, and privileged access checks now required.
• New reporting process: Covered entities must file either a Certification of Material Compliance or Acknowledgment of Noncompliance, signed by both the CISO and a senior executive.

Deadlines continue through November 1, 2025. Each requirement links to the complexity of controls or the size of the company.

Current Status

By mid-2025, most updates from the second amendment have taken hold. MFA rules, access reviews, and inventory standards remain in focus. NYDFS has promised stronger enforcement for delays or gaps.

Who Needs to Comply with NYDFS Cybersecurity Regulation?

Any organization licensed by NYDFS under New York’s financial laws must comply with 23 NYCRR Part 500. This includes banks, insurers, lenders, and money transmitters.

Covered Entities

A covered entity is defined in §500.1(c) as any individual or organization “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization” from NYDFS.

Common examples of covered entities include:

• State-chartered banks and credit unions
• Foreign banks licensed to operate in New York
• Mortgage lenders and servicers
• Insurance companies, including health, life, property, and casualty
• Money transmitters, check cashers, and premium finance agencies
• Investment and trust companies
• Health maintenance organizations (HMOs) and service contract providers

Even companies that are headquartered outside of New York may be subject to 23 NYCRR Part 500 if they’re licensed or authorized by NYDFS to do business in the state.

Class A Companies (Enhanced Obligations)

As part of the 2023 Second Amendment, NYDFS introduced a new category of Class A Companies. These are large organizations with greater operational complexity and broader risk exposure. The regulation imposes enhanced requirements on these companies, including mandatory audits and advanced technical controls.

To qualify a company must have:

• At least $20 million in gross annual revenue in each of the last two fiscal years
  AND either of the following:
• More than 2,000 employees (including affiliates) on average over the last two fiscal years,
  OR
• More than $1 billion in gross annual revenue in each of the last two fiscal years

Class A Companies must comply with additional provisions such as:

• Annual independent cybersecurity audits (§500.2(c))
• Enhanced privileged access controls (§500.7)
• Endpoint detection and response for user devices (§500.14)

Exemptions and Partial Exemptions

Some smaller organizations may qualify for a limited exemption under §500.19. However, they’re still subject to core cybersecurity obligations such as:

• Risk assessments
• Incident response planning
• Breach notification

To qualify for the small business exemption, a covered entity must meet all of the following criteria:

• Fewer than 20 employees, including independent contractors
• Less than $7.5 million in gross annual revenue for each of the last three fiscal years
• Less than $15 million in year-end total assets (including affiliates)

Entities must formally file a Notice of Exemption through the DFS Portal.

Third Parties and Affiliates

While third-party service providers are not directly regulated by 23 NYCRR Part 500, covered entities are responsible for managing third-party cybersecurity risk. This includes ensuring that vendors follow minimum security practices and agree to breach reporting obligations—outlined in §500.11.

Who Regulates 23 NYCRR Part 500?

The New York State Department of Financial Services (NYDFS) enforces 23 NYCRR Part 500 under its authority to oversee financial services and protect consumer data.

Role of the NYDFS Superintendent

The Superintendent of Financial Services is empowered to enforce the regulation and apply penalties for violations. These enforcement powers are detailed in §500.20, which confirms that the regulation will be enforced “pursuant to, and as authorized by, any applicable laws, including the Financial Services Law.”

Regulatory activities include:

1. Annual Compliance Certification

Under §500.17(b), covered entities must submit an annual Certification of Material Compliance (or Acknowledgment of Noncompliance) signed by both the CISO and the most senior executive. This certification attests that the organization materially complied with the regulation during the prior calendar year.

2. Cybersecurity Incident Reporting

Entities must notify the NYDFS within 72 hours of discovering a qualifying cybersecurity event. If a ransomware payment is made, that must be reported separately within 24 hours. These requirements are outlined in §500.17(a).

3. Regulatory Examinations

NYDFS may examine any covered entity’s cybersecurity program as part of its routine supervisory process. Organizations must maintain documentation of their program and make it available upon request, as stated in §500.2(e).

4. Enforcement Actions

Failure to comply can result in civil monetary penalties, license revocations, or cease-and-desist orders. The NYDFS uses its enforcement authority under Financial Services Law §408, which allows fines per violation or per day of noncompliance.

Public Enforcement Activity

The NYDFS maintains a live Enforcement Actions Portal where it publishes consent orders, penalty notices, and official press releases.

What Are the Breach Reporting Requirements in Part 500?

23 NYCRR Part 500 sets a thorough cybersecurity framework for covered entities regulated by NYDFS. This framework requires maintaining, updating, and reviewing risk-based programs focused on governance, risk management, technical security, incident response, and reporting. The regulation breaks down into 23 sections detailing specific obligations.

What Are the Key Requirements of 23 NYCRR Part 500?

1. Cybersecurity Program and Policies

§500.2 – Cybersecurity Program

Under 23 NYCRR Part 500, covered entities must establish and maintain a comprehensive cybersecurity program tailored to their unique risk profile. This program protects the confidentiality, integrity, and availability of information systems and nonpublic information.

At a minimum, the program must:

• Identify and assess internal and external cybersecurity risks
• Implement safeguards to prevent unauthorized access and malicious activity
• Detect cybersecurity events in real time
• Respond promptly to mitigate the impact of any incidents
• Recover critical systems and resume operations efficiently
• Meet all applicable regulatory reporting obligations

The cybersecurity program must be based on a formal risk assessment (§500.9), ensuring controls reflect the specific threats and vulnerabilities relevant to the organization.

Additional requirements include:

• Independent Audits for Class A Companies: Large institutions classified as Class A Companies must design and carry out independent audits of their cybersecurity programs periodically, aligned with their risk assessment.
• Adoption of Affiliate Programs: A covered entity may adopt all or parts of an affiliate’s cybersecurity program if those components fully meet the requirements of Part 500.
• Regulator Access: All relevant documentation, including any adopted affiliate policies, must be made available to the NYDFS superintendent upon request.

§500.3 – Cybersecurity Policy

To support their cybersecurity program, covered entities must develop, implement, and maintain a written cybersecurity policy, formally approved at least once a year by a senior officer or the organization’s governing body.

This policy must be:

• Aligned with the entity’s risk assessment
• Documented and actionable through supporting procedures
• Comprehensive across key cybersecurity domains

At a minimum, policies and procedures must cover the following areas, as relevant to business operations:

• Access controls, identity management, and remote access
• Data governance, classification, and retention
• Asset inventory, device lifecycle, and secure decommissioning
• Incident response and notification procedures
• Business continuity and disaster recovery (BC/DR)
• Vendor and third-party service provider management
• Risk assessment protocols
• Information security and system availability
• Vulnerability management
• Physical security and environmental protections
• Application security and development practices
• System and network security, monitoring, and operations
• Customer data privacy standards
• Security awareness and workforce training

This formal cybersecurity policy ensures consistency, accountability, and regulatory alignment across all information security activities within the organization.

2. Governance and Oversight

§500.4 – Cybersecurity Governance

Each covered entity must designate a Chief Information Security Officer (CISO) responsible for overseeing the organization’s cybersecurity program and ensuring compliance with 23 NYCRR Part 500. The CISO may be employed directly by the entity, by an affiliate, or through a third-party provider. However, if a third-party or affiliate CISO is used, the entity must:

• Maintain full accountability for compliance
• Assign a senior internal officer to oversee the arrangement
• Ensure the third party maintains a compliant cybersecurity program

Key CISO Responsibilities:

• Program Oversight: Lead implementation and continuous improvement of the cybersecurity program
• Annual Board Reporting: Deliver a formal, written report to the board or senior governing body at least once per year. The report must cover:
  • Protection of nonpublic information
  • Program effectiveness
  • Material risks and cybersecurity events
  • Policy updates and remediation plans for deficiencies
• Ongoing Updates: Provide timely briefings to leadership on major incidents or changes in the program

Board Oversight Requirements:

The senior governing body must remain actively involved in cybersecurity oversight by:

• Maintaining or accessing adequate cybersecurity expertise
• Requiring executive leadership to manage and maintain the cybersecurity program
• Reviewing cybersecurity reports on a regular basis
• Ensuring sufficient resources are allocated for cybersecurity readiness and resilience

§500.17(b) – Annual Certification

By April 15 each year, every covered entity must submit one of the following to the NYDFS Superintendent:

• A certification of material compliance with 23 NYCRR Part 500
• Or an acknowledgment of noncompliance with details and a remediation plan

This submission must be:

• Signed by both the highest-ranking executive and the CISO
  • If there is no CISO, then it must be signed by the executive and the officer responsible for cybersecurity
• Based on documented evidence proving material compliance (or lack thereof)

Entities must also:

• Keep supporting documentation for at least five years
• Be prepared to show remediation efforts for any gaps in compliance
• Use the electronic form available on the Department’s official website

3. Technical and Operational Controls

§500.5 – Vulnerability Management

Covered entities must establish written vulnerability management policies that:

• Support the cybersecurity program
• Reflect findings from the risk assessment

Minimum requirements include:

• Annual penetration testing from inside and outside the network, conducted by qualified internal or external experts
• Automated vulnerability scanning across all systems, with manual reviews where automation isn’t possible
  • Must occur regularly and after material changes
  • Mandatory automated scanning for all by May 1, 2025
• Ongoing monitoring for new vulnerabilities
• Timely remediation prioritized by risk level

These steps help ensure threats are identified and addressed before they can be exploited.

§500.6 – Audit Trail

Covered entities must keep secure systems that:

• Reconstruct material financial transactions to support normal operations
• Track cybersecurity events that could disrupt critical functions

Audit trail records must stay on file for at least five years, helping teams investigate incidents and meet regulatory expectations.

§500.7 – Access Controls

Covered entities must:

• Give system access only on a need-to-know basis
• Limit and monitor privileged account use
• Review user access once a year (required by May 1, 2025)
• Remove access when no longer needed
• Disable remote access tools if not secured
• Follow strong password standards

Class A companies must add tools to manage and block weak passwords, keeping high-level accounts safe from misuse.

§500.8 – Application Security

Covered entities must:

• Use secure development practices for in-house applications
• Test and review third-party apps regularly
• Review and update app security standards each year

The CISO or another expert must oversee and revise these controls to stay ahead of threats.

§500.12 – Multi-Factor Authentication

By November 1, 2025, covered entities must use MFA for:

• All system access
• Remote logins
• Privileged accounts

If MFA isn’t possible, the CISO must approve stronger alternatives, reviewed at least once a year.

4. Risk Assessment and Response

§500.9 – Risk Assessment

Covered entities must:

• Run a documented risk assessment at least annually
• Update controls after business or tech changes
• Set policies to rate risks and adjust defenses

The risk assessment must guide the cybersecurity strategy and help improve protections as threats evolve.

§500.16 – Incident Response Plan

Covered entities must create and maintain written plans for:

• Incident response – define roles, decision-making authority, communications, response steps, and post-incident reviews
• Business continuity and disaster recovery (BCDR) – ensure critical systems, data, and services can resume quickly after a cyber event

Plans must be:

• Tested yearly
• Accessible to responsible staff
• Supported by secure backups
• Trained on by key personnel

The goal: keep operations running and respond fast to any major cybersecurity disruption.

5. Monitoring, Training, and Asset Management

§500.14 – Monitoring and Awareness

Covered entities must:

• Log and monitor user activity for unauthorized access or tampering
• Block malicious code via web and email filtering
• Deliver annual cybersecurity training, including social engineering

Class A companies must also:

• Deploy endpoint detection and response (EDR) tools
• Centralize logging and security alerts (unless equivalent protections are approved by the CISO)

§500.13 – Asset Inventory

By November 1, 2025, all entities must:

• Maintain a full, documented inventory of systems and data
• Include key asset details: owner, location, sensitivity, support timelines, and recovery time objectives
• Regularly update and validate the inventory
• Securely dispose of nonpublic information that is no longer needed (unless legally required to retain)

6. Reporting and Documentation

§500.17 – Notices to Superintendent

Covered entities must:

• Report cybersecurity incidents to the Superintendent within 72 hours
• Report ransomware or extortion payments within 24 hours, and explain the decision within 30 days
• Submit an annual compliance certification or acknowledgment by April 15, signed by the highest-ranking executive and the CISO (or equivalent)
• Keep supporting records for at least 5 years

7. Exemptions and Transitional Periods

§500.19 – Exemptions

Certain entities qualify for limited exemptions if they meet any of the following:

• Fewer than 20 staff or contractors
• Less than $7.5 million in annual revenue (past 3 years)
• Less than $15 million in total assets

Other exemptions apply for entities with no systems or nonpublic data, or individuals under another covered entity’s program.

Entities must file a Notice of Exemption within 30 days of qualifying.

If an exemption no longer applies, they have 180 days to comply with all applicable rules.

§500.22 – Transitional Periods

Deadlines for complying with the updated regulation:

• Most new rules take effect within 180 days
• Some rules allow 12–24 months, depending on the section
• New reporting requirements under §500.17 must be followed within 30 days of the amendment’s effective date (November 1, 2023)
• Additional phase-in deadlines continue through November 1, 2025

What Security Control Framework Should I Use for 23 NYCRR Part 500?

The NYDFS does not prescribe a specific security control framework for complying with 23 NYCRR Part 500. Instead, it expects covered entities to adopt a framework that aligns with their business model, technical environment, and risk profile. The regulation allows flexibility, but not all frameworks work equally well.

Several well-known frameworks that help support compliance with 23 NYCRR Part 500 include:

• NIST Cybersecurity Framework (NIST CSF): Frequently referenced as the structural basis for Part 500. It supports risk-informed implementation of technical and governance controls, and is ideal for institutions that want a balanced, modular framework.
• CIS Controls: Provides tactical, implementation-focused security practices. The CIS Controls v8.1 mapping to Part 500 offers direct control-to-regulation alignment.
• Cyber Risk Institute (CRI) Profile: Developed specifically for financial institutions, the CRI Profile builds on NIST CSF and integrates regulatory expectations. It offers a tailored approach to meeting requirements across multiple regimes, including Part 500, making it especially useful for banks and insurers with multi-state or federal oversight.
• ISO/IEC 27001/27002: International standards that align well with Part 500’s focus on risk management, control implementation, and governance. They’re frequently used by larger or globally regulated firms.
• Secure Controls Framework (SCF): Offers detailed mappings to NYDFS and other regulatory obligations, and supports organizations looking to demonstrate unified control coverage across frameworks.

Ultimately, the best framework is one that enables your organization to:

• Conduct formal, documented risk assessments
• Apply safeguards based on risk (not one-size-fits-all)
• Maintain traceable evidence of control implementation
• Support annual certification and NYDFS examination readiness

Do Third-Party Organizations Need To Comply With 23 NYCRR Part 500?

Not directly, but they’re still accountable. Third-party service providers are not themselves regulated by the New York State Department of Financial Services (NYDFS). However, they’re still subject to its cybersecurity expectations, indirectly through their contracts with regulated entities.

Under §500.11, any organization regulated by NYDFS must implement a third-party service provider security policy. That policy must require vendors to meet specific cybersecurity standards and provide formal assurances that they can protect nonpublic information and critical systems.

What Are Covered Entities Required To Do?

Under 23 NYCRR Part 500, regulated organizations must:

• Maintain a full inventory of third-party service providers
• Perform risk assessments for each vendor with system or data access
• Require vendors to follow minimum cybersecurity standards
• Conduct due diligence before engagement and regular reassessments over time

Include contractual terms such as:

• Multi-factor authentication (MFA)
• Encryption of nonpublic information
• Breach notification within defined timeframes
• Audit or monitoring rights when appropriate

These requirements are all part of the covered entity’s responsibility, regardless of whether the vendor is large or small, in-state or remote.

Can Third-Party Failures Trigger NYDFS Penalties?

Yes. Recent enforcement actions prove that cybersecurity failures at the vendor level can lead to significant fines for regulated organizations.

For example:

• Gemini Trust Co. was fined $37 million in 2024 for failing to assess and oversee a third-party lending partner, which exposed customer assets and violated the intent of §500.11. Read more → DFS Press Release
• Block, Inc. was penalized $40 million in 2025 for broader compliance issues, including a failure to maintain board-reviewed third-party cybersecurity policies and business continuity controls.Enforcement summary → DFS Archive

What Penalties Apply for Noncompliance with NYDFS Regulation?

The New York State Department of Financial Services (NYDFS) enforces 23 NYCRR Part 500 under the authority of the Financial Services Law §408.

Covered entities that fail to meet their cybersecurity obligations may face civil monetary penalties, regulatory scrutiny, and, in severe cases, license actions or cease-and-desist orders.

NYDFS has been clear: failure to maintain a documented, risk-based cybersecurity program is not just a security issue. It’s a regulatory violation.

Enforcement Mechanisms

Under §500.20, NYDFS enforces the regulation through multiple channels:

• Monetary Penalties: Fines can be issued per violation or per day of noncompliance. The amount varies based on factors such as the nature of the failure, duration, and potential harm to consumers.
• Examinations and Investigations: NYDFS conducts periodic cybersecurity exams and reviews documentation submitted via the DFS Portal. Incomplete, outdated, or misleading information can lead to a formal investigation.
• License Suspensions or Cease-and-Desist Orders: In cases of gross negligence or systemic breakdowns, the department can revoke or suspend a company’s license to operate in New York.

Recent Penalties (2024–2025)

The past two years have seen a noticeable uptick in NYDFS enforcement actions tied to Part 500:

Full details → DFS Enforcement Actions

These cases show that even well-known companies face steep penalties when controls are poorly implemented, undocumented, or disconnected from board-level oversight.

Top Noncompliance Risks

Security and compliance teams should pay close attention to the following high-risk areas:

• No written cybersecurity policies
• Failure to conduct or document annual risk assessments
• Missing MFA or delayed encryption implementation
• Inadequate incident response or breach notification procedures
• Vendor risk practices not aligned with §500.11
• Incomplete or false annual certification filings

How to Manage 23 NYCRR Part 500 Compliance

1. Build and Maintain a Structured Cybersecurity Program

Based on the risk assessment, organizations must implement and document a cybersecurity program that includes:

• Formal policies governing access, asset inventory, data governance, incident response, and business continuity
• Designation of a Chief Information Security Officer (CISO) to oversee and report on the program
• Defined procedures for secure system development, change management, and workforce training
• Board-level engagement and annual reporting

The program must not only be documented, but also actively followed and provable during examination.

2. Operationalize Asset and Vendor Inventory Management

You need visibility into the systems, devices, applications, and vendors that support business operations and store or process nonpublic information. This includes:

• Tracking ownership, data classification, and business impact of each asset
• Maintaining a vendor inventory with access scope and security responsibilities
• Identifying which vendors require risk assessments or contractual controls
• Linking vendors and assets to related assessments, policies, and exceptions

This inventory underpins compliance with technical controls, access management, and incident response.

3. Conduct and Maintain a Formal Risk Assessment

The annual risk assessment isn’t just a standalone requirement. It’s the foundation for how your organization implements every other control in Part 500. It defines which systems are critical, what types of data are most sensitive, where vulnerabilities exist, and which business functions need extra protection.

A strong risk assessment should:

• Identify internal and external risks to information systems and nonpublic information
• Evaluate likelihood and impact
• Inform security policies and technical controls
• Be updated as systems, vendors, and threats change

Without a current risk assessment, safeguards like MFA, encryption, and access reviews have no defensible basis and may fall short of compliance expectations.

4. Track Risks and Remediation in a Central Register

Any gaps discovered through assessments, incidents, audits, or monitoring must be tracked through a formal risk register. This should include:

• Descriptions of the risk and affected systems or vendors
• Assigned owners and remediation timelines
• Status tracking and evidence of resolution
• Links to policies, assessments, or incidents that support risk identification

This is essential for governance, board reporting, and meeting regulatory expectations around continuous improvement.

5. Apply and Document Safeguards Based on Risk

The regulation specifies technical and operational safeguards, but most are risk-dependent. You must determine when and where to apply them based on your assessment.

Safeguards include:

• Access Controls & MFA: Implemented based on system criticality and user role
• Encryption: For nonpublic information at rest and in transit, unless compensating controls are justified
• Vulnerability Scanning & Penetration Testing: Frequency and scope should reflect the risk posed by each environment
• Audit Trails & Monitoring: Required for material financial transactions and the detection of unauthorized activity
• Training & Endpoint Controls: Tailored by role, exposure level, and vendor access

These safeguards must be mapped to risk and tracked over time, not assumed.

6. Certify Compliance and Prepare for Examination

Every covered entity must submit an annual Certification of Material Compliance or an Acknowledgment of Noncompliance with a remediation plan. You must also be prepared to demonstrate compliance during DFS examinations, including:

• Documentation of your cybersecurity program
• Results of risk assessments
• Evidence of controls implementation (e.g., MFA logs, asset inventories, incident response exercises)
• A complete audit trail of changes and exceptions

Poor documentation, outdated risk assessments, or controls applied inconsistently across the organization can all lead to regulatory penalties, even in the absence of a breach.

Why Use 23 NYCRR Part 500 Compliance Software?

Managing 23 NYCRR Part 500 across spreadsheets, emails, and shared drives creates risk. The regulation requires structure:

• Risk-informed controls
• Documented oversight
• Evidence of ongoing program activity

Purpose-built compliance software helps security teams organize these tasks into repeatable, auditable workflows, reducing overhead while increasing accountability.

23 NYCRR Part 500 Compliance with Isora GRC

Isora GRC helps financial institutions translate 23 NYCRR Part 500 requirements into structured, repeatable workflows.

Instead of relying on static spreadsheets or complex legacy tools, security teams use Isora to meaningfully engage their organization with risk assessments, inventory management, third-party reviews, and compliance documentation in one centralized system.

Isora GRC for NYDFS 23 NYCRR 500 Compliance

NYDFS 23 NYCRR 500 compliance demands more than annual checklists

Isora GRC replaces scattered tools and siloed documents with automated workflows and dashboards tailored to financial services cybersecurity requirements. Whether you're preparing for audits or updating your risk assessment that NYDFS requires, Isora helps teams stay organized, accountable, and efficient.

Learn More

Here’s how Isora supports the four core programs needed for 23 NYCRR Part 500 compliance:

• Information Security Risk Management: Enables structured risk assessments aligned with frameworks like NIST CSF, CRI Profile, and CIS Controls. Results are scored and published to a centralized risk register for remediation and tracking—supporting §§ 500.9 and 500.2.
• Third-Party Security Risk Management: Manages a live vendor inventory with repeatable due diligence workflows. Teams collect responses, assign risk levels, and ensure control compliance under §500.11 (e.g., MFA, encryption, breach notification).
• Risk Register: Automatically logs risks from assessments, incidents, and audits. Each entry includes scoring, remediation deadlines, and documentation—supporting accountability and board reporting under §§ 500.4 and 500.17.
• Asset and Vendor Inventory: Consolidates systems, applications, and third-party services into a searchable view. Metadata fields support access reviews, control enforcement, and visibility into compliance with Part 500 technical requirements.

Request a demo to see how Isora GRC simplifies risk, vendor, and asset management without spreadsheets.

23 NYCRR Part 500 FAQs

What are Class A Companies under Part 500?

Class A Companies include large financial institutions with high complexity and broader exposure. To qualify, a business must earn $20M+ in revenue and either have 2,000+ employees or $1B+ in revenue across two years. These firms follow stricter controls like independent audits and enhanced technical safeguards.

Are third-party vendors covered under 23 NYCRR Part 500?

Not directly. However, covered entities must assess third-party risk, demand proper safeguards, and enforce breach notification requirements through contracts.

How does Isora GRC help with 23 NYCRR Part 500 compliance?

Isora GRC helps by centralizing risk assessments, tracking controls, and automating evidence collection. It simplifies audits, maps requirements to action items, and supports reporting for NYDFS obligations.

What qualifies as a “cybersecurity event” under 23 NYCRR Part 500?

A cybersecurity event is any act or attempt, successful or not, to gain unauthorized access to information systems or disrupt operations. Events that impact nonpublic information or business continuity, even if contained, must be evaluated for reporting. If they meet defined thresholds, such as requiring notice to another regulator, they must be reported to NYDFS within 72 hours.

How often should risk assessments be updated for 23 NYCRR compliance?

Under 23 NYCRR Part 500, risk assessments must be conducted at least once per year. However, they should also be updated whenever significant changes occur in systems, vendors, or business operations.

What counts as “nonpublic information” under the regulation?

Nonpublic information includes any business or consumer data that is protected by law or could cause harm if exposed. This covers personally identifiable information (PII), health records, financial account details, and confidential business information. NYDFS expects covered entities to identify and secure all nonpublic information across systems, vendors, and business processes.

What documentation is required for NYDFS examinations?

During examinations, NYDFS may request copies of your cybersecurity program, risk assessments, audit trails, incident logs, asset and vendor inventories, and board reports. Examiners look for proof of implementation, not just policies. You must demonstrate active control management, tracked remediations, and an up-to-date record of how you meet each regulatory requirement.

Can we delay implementing new amendments if we’re already compliant with the original rule?

No. All covered entities, including those previously compliant, must meet the new deadlines and enhanced standards under the 2023–2025 amendments. NYDFS has made it clear that relying on earlier compliance is not a valid reason to defer updates. Each provision has specific rollout dates, and delays may trigger regulatory penalties and signal program weakness during future examinations.

Is using a cybersecurity framework enough to prove compliance?

No, using a framework like NIST CSF or CIS Controls helps structure your approach, but NYDFS expects evidence of control implementation, governance, and risk-based decision-making. Frameworks support compliance. They don’t replace it. You still need documented policies, tracked safeguards, and validated controls aligned with the specific requirements of 23 NYCRR Part 500.