NY DFS Cybersecurity Regulation (23 NYCRR 500): what financial services firms and their MSPs need to know

Most NYDFS compliance programs in active use today were built against the original 2017 version of 23 NYCRR Part 500. The November 2023 amendments materially changed what’s required, and a program that hasn’t been refreshed against the current rule is now operating against requirements that no longer exist.

This matters because the New York Department of Financial Services has been actively enforcing the regulation, with penalties at the scale that finance teams notice. Robinhood paid $30 million in 2022. EyeMed Vision Care paid $4.5 million. OneMain Financial paid $4.25 million in 2023. These weren’t theoretical risks. They were enforcement outcomes against entities that, in DFS’s assessment, hadn’t implemented controls the regulation required.

This guide covers what 23 NYCRR 500 actually requires under the amended rule, who has to comply, how the 72-hour and 24-hour reporting clocks work in practice, what the regulation imposes on third-party service providers (which is to say, MSPs), and how to build a defensible compliance posture under active examination. Read the 2026 Kaseya State of the MSP Report for the broader cybersecurity context.

What is 23 NYCRR 500?

23 NYCRR Part 500 is the New York Department of Financial Services’ cybersecurity regulation, effective March 1, 2017 and substantially amended in November 2023. The regulation requires covered financial services companies to establish a documented cybersecurity program, appoint a CISO, maintain a defined set of security controls, and notify the DFS of specific cybersecurity events on tight timelines.

The November 2023 amendments (the Second Amendment to Part 500) added requirements that reflect how the threat landscape has changed since the original rule. Expanded encryption requirements. Strengthened MFA mandates, including a move toward phishing-resistant MFA where feasible. Enhanced continuous monitoring expectations. A new 24-hour notification window for ransom payments. And a more rigorous set of controls applicable to large covered entities (Class A companies).

For organizations whose programs were last comprehensively assessed before November 2023, the practical implication is that the gap analysis needs to be rerun. Several requirements changed materially, and the certification language used annually by senior officers makes accuracy of the compliance statement personally consequential.

Who must comply

23 NYCRR 500 applies to any person operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. In practice that captures state-chartered banks, insurance companies, mortgage servicers, money transmitters, check cashers, premium finance agencies, licensed lenders, and the broader population of DFS-regulated entities.

Smaller entities may qualify for limited exemptions from certain prescriptive requirements. The §500.19 limited exemption threshold combines three conditions: fewer than 20 employees and independent contractors, less than $7.5 million in gross annual revenue from New York operations, and less than $15 million in year-end total assets. Entities meeting all three thresholds use the limited exemption, but they remain subject to the core cybersecurity program requirement.

The November 2023 amendments also introduced a Class A category for the largest covered entities, defined by employee count, revenue, and asset thresholds. Class A companies face additional requirements above the base rule, including more rigorous monitoring and identity management controls. Mid-market and large financial services firms operating in New York should check whether they fall inside the Class A definition, the additional obligations are material.

Third-party service providers, including MSPs and managed security service providers, are not directly licensed by the DFS but are pulled into compliance scope through §500.11, which requires covered entities to manage the cybersecurity practices of providers with access to their systems or non-public information.

Key requirements under the amended regulation

The amended rule covers a defined set of control areas. The most operationally significant requirements include the following.

A documented cybersecurity program, based on a risk assessment, covering the confidentiality, integrity, and availability of the covered entity’s information systems. The program must be reviewed at least annually and updated when the risk picture changes.

A qualified CISO, internal or outsourced, responsible for the program and required to report annually to the board (or equivalent governing body) on the program’s effectiveness, material risks, and incidents. The annual report became more substantive under the November 2023 amendments.

Multi-factor authentication on all remote access to the covered entity’s information systems, all access to non-public information, and all privileged accounts. The amendment introduced a preference for phishing-resistant MFA (typically WebAuthn or FIDO2-based authentication) where feasible, recognizing that SMS-based and app-based OTP can be defeated by modern phishing kits.

Encryption of non-public information in transit over external networks and at rest. Alternative compensating controls are permitted only with documented CISO approval and a defensible reason for the exception.

Asset management and access controls. A maintained inventory of all information systems, documented handling policies for non-public information, least-privilege access for all user accounts, privileged access management for elevated permissions, and annual access reviews.

Continuous monitoring of information systems, penetration testing at least annually, and vulnerability assessments at least every six months. The continuous monitoring language is what makes the 72-hour reporting clock operationally achievable rather than aspirational.

A documented incident response plan covering detection, response, recovery, communication, and post-incident review, tested at least annually. Documentation of the testing is itself part of the evidence the DFS expects during examination.

Annual cybersecurity training for all personnel, with role-specific training for technical staff on current threats. The amendments raised the bar on what counts as adequate training.

The 72-hour incident reporting requirement

Covered entities must notify the DFS within 72 hours of determining that a cybersecurity event has occurred that meets the reporting threshold. The threshold is met when an event has a reasonable likelihood of materially harming any normal operation of the entity, or when the event affects non-public information.

The November 2023 amendments added a 24-hour notification requirement for ransom payments. Covered entities making a ransom payment must notify the DFS within 24 hours of the payment, and provide a written description of the event and the reasons for the payment within 30 days.

Annual certification of compliance is required from a senior officer or director, and the certification language creates personal accountability for the accuracy of the compliance statement. Filing a certification that misrepresents the program’s state is the kind of action that draws not just civil but potential individual liability.

The operational challenge with the 72-hour clock isn’t the timeline itself. It’s the requirement to be detecting events fast enough to know one has occurred. An incident discovered Tuesday morning that actually began the previous Saturday has already burned most of the 72-hour window before the entity knows it’s running. Continuous monitoring, whether in-house or delivered through an MDR provider, is what makes the reporting requirement meet-able rather than miss-able.

Third-party service provider requirements

Section 500.11 requires covered entities to implement policies and procedures for the security of third-party service providers. The requirements include identification and risk assessment of all third-party providers with access to non-public information or covered entity systems, minimum cybersecurity practices required of those providers (covering encryption, access controls, MFA, and incident response), periodic assessment of provider security practices, and inclusion of security requirements in the contracts that govern the relationship.

For MSPs serving covered financial services clients in New York, the operational implication is direct. The MSP has to meet the cybersecurity standards the covered entity is contractually required to impose. This is not optional for either side. The covered entity cannot remain in compliance without imposing these requirements on its MSP. The MSP cannot remain a viable supplier to the covered entity without demonstrably meeting them.

Consider a common operational shape. An MSP serves a mid-sized New York mortgage lender as the primary IT and security provider. The lender comes up for DFS examination. The examiner asks for evidence of MFA enforcement on all privileged access into the lender’s information systems, including access by technicians at the MSP. The MSP’s standard tooling has MFA enabled, but enforcement has not been audited in months, and three technician accounts that left the company in the last quarter were deactivated late. The MSP becomes a gap in the lender’s compliance posture, and the lender becomes a gap in the MSP’s commercial position. Both problems trace back to the MSP not running its own program to the standard the regulation expects of its client.

The practical baseline for MSPs serving New York financial services clients is straightforward. Document the cybersecurity program. Enforce phishing-resistant MFA on every account that touches a client environment. Maintain a tested incident response plan. Run continuous monitoring. And keep the evidence that all of this is happening, in a format that survives a client audit, because that audit is coming.

Enforcement: what the DFS has done

The DFS enforcement record demonstrates that this is not a paper regulation. The pattern in the published settlements is consistent: deficiencies in MFA, access controls, third-party management, and incident response capability are the primary enforcement targets.

First American Financial Corp settled in 2021 for $500,000 over violations including failure to conduct adequate risk assessments and failure to address known vulnerabilities. Robinhood Crypto reached a $30 million settlement in 2022 over cybersecurity program deficiencies. EyeMed Vision Care settled for $4.5 million in 2022 following a breach affecting approximately 2.1 million individuals, with the settlement citing failures in access management and MFA. OneMain Financial settled for $4.25 million in 2023 over identified program gaps.

Each of these settlements names specific control failures rather than penalizing a generic compliance shortfall, which gives a clear signal about where future enforcement is likely to focus. MFA coverage. Access management discipline. Vulnerability remediation. Third-party oversight. Incident response capability.

Compliance roadmap for covered entities and their MSPs

The work breaks down into five stages.

Run a fresh gap assessment against the amended regulation. If the last comprehensive assessment used the 2017 version of the rule, repeat it against the November 2023 amendments. Several control areas have new or strengthened requirements, and assumptions baked into pre-2023 programs are no longer reliable.

Prioritize MFA and access controls. These are the most frequently cited deficiencies in the published enforcement actions. Phishing-resistant MFA on all privileged access, all access to non-public information, and all remote access is the non-negotiable starting point. Layered on top of that, document the access review cadence and the offboarding workflow that ensures revoked accounts are actually revoked.

Implement, or contract for, continuous monitoring capability. The 72-hour reporting clock requires detection capability fast enough to identify reportable events promptly. Twenty-four-seven monitoring through an in-house SOC, a managed SIEM service, or an MDR provider is the practical answer.

Review and test the incident response plan. Run the exercise at least annually. Document the testing and the post-exercise improvements. Include the DFS notification workflow as a specific runbook within the plan, with named owners and the form of the early notification pre-drafted.

Assess and document third-party security. Covered entities should inventory their MSPs and other in-scope providers, assess their security practices on a defined cadence, and update contracts to reflect §500.11 requirements. MSPs should prepare the evidence package proactively, because waiting for the client’s audit is waiting too long.

Compliance Manager GRC supports 23 NYCRR 500 assessment within its framework library, allowing covered entities and their IT teams to track compliance status against the amended rule, document controls, manage third-party assessments, and generate the evidence the DFS expects during examination. Explore Compliance Manager GRC for the operational side of running a NYDFS program continuously rather than rebuilding it under examination pressure.

The financial services firms and MSPs that come through DFS examinations cleanly aren’t necessarily the ones with the most expensive security stacks. They’re the ones whose program documentation matches operational reality, whose evidence is current rather than reconstructed, and whose annual certification is something the certifying officer can sign without a careful conversation with counsel first. The amended 23 NYCRR 500 is a meaningful regulation enforced by an active regulator with a track record. The starting position for compliance is treating the rule as continuous discipline, not as a project that ends.