NYDFS cybersecurity regulations: what financial institutions must know in 2025
The New York Department of Financial Services (NYDFS) enforces one of the most comprehensive state-level cybersecurity regulations in the U.S: 23 NYCRR 500. Updated in 2025, the regulation outlines mandatory cybersecurity requirements for banks, insurers, fintech companies, and other financial entities operating in New York.
Whether you’re preparing for an NYDFS audit or evaluating your compliance program, this guide breaks down exactly what you need to know to meet regulatory expectations and avoid penalties.
What you'll learn in this NYDFS compliance guide
- Who must comply with NYDFS 23 NYCRR 500
- The key cybersecurity requirements your organization must implement
- What changed in the 2025 NYDFS regulation update
- How penetration testing fits into compliance (Section 500.05)
What Are NYDFS Cybersecurity Regulations?
The NYDFS Cybersecurity Regulations, officially known as 23 NYCRR 500, are a set of rules issued by the New York Department of Financial Services (NYDFS) that require financial institutions and other regulated entities in New York to implement robust cybersecurity protections.
The regulations are designed to ensure the confidentiality, integrity, and availability of nonpublic information and IT systems used by financial institutions.
Who is subject to NYDFS cybersecurity regulations?
The NYDFS Cybersecurity Regulation (23 NYCRR 500) applies to a wide range of entities operating under the supervision, licensure, or registration of the New York Department of Financial Services (NYDFS). These organizations are considered “covered entities” and are required to implement and maintain a cybersecurity program that protects sensitive data and critical systems.
If your organization holds a license, charter, registration, or permit from the NYDFS, you are very likely required to comply with 23 NYCRR 500.
Note: Even if your operations are based outside New York, you may still be subject to the regulation if you serve New York consumers and hold a NYDFS license.
Covered Entities Include:
Banks and trust companies
State-chartered commercial banks, private banks, and trust companies regulated by NYDFS
Insurance providers
Life insurers, health insurers, property and casualty insurers, and reinsurers licensed in New York
Mortgage lenders and brokers
Companies involved in residential mortgage lending, servicing, or brokering
Money transmitters
Firms that handle funds transfers, payment processing, or currency exchange services
Fintech companies
Technology-driven financial service providers, especially those operating under virtual currency or money transmission licenses
Virtual currency businesses
Entities operating under the NYDFS BitLicense framework for digital assets and crypto
Licensed consumer credit reporting agencies
Any credit bureau or consumer reporting entity that holds a NYDFS license
Key requirements of the NYDFS cybersecurity regulations (23 NYCRR 500)
The NYDFS Cybersecurity Regulation outlines a comprehensive framework for regulated financial institutions to protect their information systems and sensitive customer data. These rules are organized into specific sections, each targeting a critical cybersecurity function.
Below is a breakdown of the core requirements that every covered entity must implement and maintain:
1. Section 500.02 – Cybersecurity Program
All covered entities must develop and maintain a risk-based cybersecurity program that is designed to:
- Identify and assess cybersecurity risks
- Protect against unauthorized access or use
- Detect cybersecurity events
- Respond and recover from incidents
- Fulfill reporting and compliance obligations
This program must be documented, actively maintained, and tailored to the size, complexity, and risk profile of the organization.
2. Section 500.03 – Cybersecurity Policy
Covered entities are required to establish formal cybersecurity policies approved by senior management or the board of directors. These policies must address key areas such as:
- Data governance and classification
- Access controls and user authentication
- Business continuity and disaster recovery
- System and network security
- Incident response
- Customer data privacy
The policy should reflect the results of the entity’s risk assessment and be reviewed regularly.
3. Section 500.04 – Chief Information Security Officer (CISO)
Every organization must designate a qualified Chief Information Security Officer (CISO), either in-house or outsourced, who is responsible for:
- Implementing and overseeing the cybersecurity program
- Reporting cybersecurity risks to the board or senior executives
- Preparing an annual cybersecurity report
The CISO must have the authority and resources needed to manage cyber risk effectively.
4. Section 500.05 – Penetration Testing & Vulnerability Assessments
To validate the effectiveness of security controls, NYDFS mandates:
- Annual penetration testing of both internal and external systems
- Biannual vulnerability assessments to proactively identify security weaknesses
These assessments must align with the organization’s risk profile and be conducted by qualified personnel, either internal or third-party.
This section is one of the most commonly cited during NYDFS audits, especially for regulated fintech, banks, and insurers.
5. Section 500.06 – Risk Assessment
Entities must perform periodic risk assessments to:
- Identify threats and vulnerabilities to information systems
- Evaluate the adequacy of current controls
- Inform updates to cybersecurity programs and policies
These assessments must be documented, repeatable, and updated as business operations or threat landscapes evolve.
6. Section 500.11 – Third-Party Service Provider Security Policy
Covered entities must maintain a formal program for managing cybersecurity risks posed by third-party vendors. This includes:
- Due diligence before onboarding vendors
- Contractual obligations to protect NPI
- Ongoing monitoring of vendor security practices
- Periodic audits or attestations
Third-party risk management is a major focus area in the 2025 NYDFS updates.
7. Section 500.12 – Multi-Factor Authentication (MFA)
To protect access to sensitive systems, NYDFS requires the implementation of multi-factor authentication (MFA) for:
- Remote access to internal networks
- Access to systems containing nonpublic information (NPI)
Alternatives to MFA must be justified in writing and approved by the CISO.
8. Section 500.17 – Incident Reporting & Certification of Compliance
Organizations are required to:
- Report cybersecurity events to NYDFS within 72 hours of determining they have occurred
- Submit an Annual Certification of Compliance by April 15 each year
Failure to report or certify compliance may result in significant penalties, public enforcement actions, and reputational damage.
Enforcement and penalties for non-compliance with NYDFS cybersecurity regulations
Failure to comply with the NYDFS Cybersecurity Regulation (23 NYCRR 500) can lead to severe consequences, both financial and reputational. NYDFS has made it clear that it will aggressively enforce the regulation and hold covered entities accountable for lapses in cybersecurity controls, governance, and incident response.
Penalties for non-compliance may include:
- Civil monetary penalties
Significant fines for each violation of the regulation. NYDFS may impose penalties on a per-violation or per-day basis. - Regulatory enforcement actions
Formal consent orders, cease-and-desist directives, or operational restrictions imposed by NYDFS. - Public disclosure of violations
NYDFS publicly announces enforcement actions, which can harm your organization’s reputation and investor confidence. - License revocation or suspension
In severe cases, NYDFS may revoke or suspend a company’s license to operate in New York State.
Notable NYDFS enforcement actions
1. $11.3 Million in Fines: GEICO & Travelers (Nov 2024)
- Fine amount: $9.75 M (GEICO), $1.55 M (Travelers) = $11.3 M total
- Key violations: Lack of MFA and weak application controls; failure to detect and remediate vulnerabilities in agent and public portals, allowing exposure of driver’s license data ~116,000 New Yorkers
2. $11.3 Million: Two Auto Insurance Companies (Dec 2024)
- Entities: Two major auto insurers (unnamed in report)
- Fine amount: $9.75 M + $1.55 M = $11.3 M
- Violations: Cybersecurity deficiencies in online quoting tools leading to theft of driver’s license numbers (~120,000 NY residents)
Facing NYDFS pressure?
Speak with a certified expert about recent enforcement trends and how to proactively protect your organization.
- Call 1-877-805-7475
2025 updates to NYDFS cybersecurity regulations (23 NYCRR 500)
The New York Department of Financial Services (NYDFS) finalized significant amendments to its Cybersecurity Regulation, 23 NYCRR 500, on November 1, 2023, with full enforcement deadlines rolling out through May 1, 2025.
📄 Official Source: NYDFS – Second Amendment to 23 NYCRR 500 (PDF)
These updates are designed to address the evolving threat landscape, strengthen executive accountability, and close known gaps in third-party oversight and breach response. Here’s what financial institutions and other covered entities need to know:
Enhanced governance and board accountability
Boards must now formally oversee cybersecurity programs, receive annual reports from the CISO, and approve security strategy and resources
Faster breach notifications
72 hours to report any cybersecurity event
24 hours to report extortion/ransom payments
30 days to file a post-incident report
Strengthened third-party risk requirements
Vendors must undergo due diligence, sign breach-notification clauses, and be monitored continuously
Class A entity controls
Large organizations (≥2,000 employees or ≥$1B revenue) must implement PAM, EDR, logging, and stricter access controls
Vulnerability scanning & risk alignment
Scans required after major system changes. Cyber programs must reflect real-time risk assessment outcomes
Expanded exemptions
Entities with <20 employees, < $7.5M revenue, or < $15M assets may qualify, but must still file a Notice of Exemption and maintain basic cybersecurity controls
Need help meeting NYDFS penetration testing requirements?
Under Section 500.05 of the NYDFS Cybersecurity Regulation, annual penetration testing is not just a best practice, it’s a compliance requirement.
Whether you’re preparing for your next NYDFS audit or building your first security program, our guide breaks down:
- What NYDFS expects from your testing program
- How to scope, schedule, and document your pen tests
- What to look for in a qualified testing provider
- Common testing pitfalls that trigger enforcement actions
Get practical tips to ensure your penetration testing meets NYDFS expectations.
Download the Buyer’s Guide: Selecting the Right Pentesting Partner for NYDFS Compliance
Explore U.S. cybersecurity compliance frameworks
NYDFS 23 NYCRR 500 is just one of several active state-level cybersecurity regulations. If your organization operates across multiple jurisdictions, it’s essential to understand how NYDFS compares with:
- California’s CCPA/CPRA
- Texas’ TAC 202
- Massachusetts’ 201 CMR 17.00
Explore how these intersect in our full guide to U.S. cybersecurity compliance frameworks, including NIST, SOC 2, ISO 27001, and CMMC
Got an Upcoming Audit? Need Pricing for NYDFS Compliance Testing?
Answer a few questions regarding your needs, project scope and objectives to quickly receive a tailored quote. No engagement.
- You can also call us directly: 1-877-805-7475
Featured Cybersecurity Compliance Resources
Gain insight on emerging hacking trends, recommended best practices and tips to improve your cybersecurity:
