NYDFS Cybersecurity Regulation (23 NYCRR 500)

NYDFS Cybersecurity Regulation (23 NYCRR 500) requires NYDFS-regulated financial services entities to run a risk-based cybersecurity program that can identify, protect, detect, respond to, and recover from cybersecurity events, with specific operational controls like MFA, documented risk assessments, incident response, secure data disposal, third-party oversight, and annual governance reporting ¹.

Key takeaways:

• Treat MFA for external access and email as a “no-exceptions” implementation target because NYDFS repeatedly enforces it ².
• Your risk assessment must drive the program; examiners will ask for the assessment, updates, and resulting control changes ¹.
• Certification and governance are enforcement triggers; NYDFS has charged improper certifications and assessed multi-million-dollar penalties ³.

This page operationalizes the nydfs cybersecurity regulation (23 nycrr 500) requirement at the program level: what the rule expects, who must comply, what to implement first, and what evidence you need ready for an NYDFS exam. The regulation is outcome-driven (confidentiality, integrity, availability) but it is not “principles-only.” NYDFS expects a documented program that is explicitly based on a risk assessment and that performs core cybersecurity functions from identification through recovery ¹.

NYDFS enforcement has made certain themes predictable in exams and investigations: missing or incomplete MFA, weak governance and certification support, slow remediation of known issues, and weak data retention/disposal practices ⁴. If you are a CCO, GRC lead, or Compliance Officer, the fastest path is to run 23 NYCRR 500 as a set of auditable requirements: defined ownership, documented risk decisions, control implementation evidence, and a certification process tied to proof, not optimism.

Regulatory text

Regulatory excerpt (program requirement):
“Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity's Information Systems. The cybersecurity program shall be based on a Risk Assessment and designed to perform core cybersecurity functions including: (1) identify and assess internal and external cybersecurity risks; (2) use defensive infrastructure and policies; (3) detect Cybersecurity Events; (4) respond to identified or detected Cybersecurity Events; and (5) recover from Cybersecurity Events and restore normal operations and services.” ¹

Operator interpretation (plain English):

• You need a written, operating security program that covers the full lifecycle: identify → protect → detect → respond → recover ¹.
• The program can’t be generic. It must be based on your documented risk assessment, and you must be able to show how risk findings changed priorities, architecture, and controls ¹.
• NYDFS expects specific control outcomes that show up repeatedly in enforcement: MFA, secure access controls, incident readiness, data disposal/retention discipline, and third-party oversight ⁵.

Who it applies to (entity + operational context)

You should treat yourself as a “Covered Entity” if you are licensed, registered, or chartered by NYDFS under New York Banking Law, Insurance Law, or Financial Services Law, including banks, insurers, and other financial services companies operating in New York ¹.

Exemptions exist, including a limited exemption framework tied to headcount, revenue, and assets, but you need counsel to confirm eligibility and scope because partial obligations may remain even when an exemption applies ¹.

Operationally, this requirement touches:

• Identity and access management (workforce, admins, contractors).
• Email and collaboration systems (often the breach entry point).
• Customer-facing apps and portals.
• Data stores containing Nonpublic Information (NPI).
• Third parties with any access to systems or NPI.

What you actually need to do (step-by-step)

The goal is an exam-ready program: controls working, decisions documented, and evidence retained.

1) Establish program ownership, scope, and system inventory

1. Name accountable owners for cybersecurity program governance (security lead) and compliance oversight (GRC/CCO).
2. Define scope: entities, business lines, and information systems in scope for NYDFS oversight ¹.
3. Build/refresh an inventory of:
   • Information systems (including SaaS)
   • Data repositories containing NPI
   • External access paths (VPN, VDI, admin portals, email)

Artifact: system inventory and data flow notes tied to NPI.

2) Perform and document a risk assessment that drives the program

1. Run a documented risk assessment of information systems sufficient to inform your cybersecurity program design ¹.
2. Capture changes that require reassessment: new systems, M&A, new third parties, major architecture changes.
3. Convert findings into a control roadmap with owners and due dates.

Exam posture tip: Examiners will ask “show me the risk assessment, then show me what you changed because of it.” Keep that mapping explicit.

Artifacts: risk assessment report, risk register, control-to-risk mapping, remediation plan.

3) Implement MFA and close “exception” pathways

NYDFS enforcement repeatedly points to MFA breakdowns as a root cause, especially in email and external access contexts ².

Action steps:

1. Require MFA for all external network access and remote administrative access.
2. Require MFA for enterprise email access (including webmail and legacy protocols).
3. Eliminate “temporary” bypasses: service accounts, break-glass accounts without compensating controls, and unmanaged BYOD access.

Artifacts: MFA policy, conditional access configs, MFA coverage report, exception register with approvals.

4) Put access control governance on rails

Access control failures appear as program breakdowns in enforcement narratives ⁶.

Action steps:

1. Define role-based access and least privilege for systems containing NPI ¹.
2. Implement periodic access reviews for privileged and sensitive access.
3. Prohibit shared admin accounts; require traceability to a human identity.

Artifacts: access review logs, joiner-mover-leaver procedures, privileged access standards, admin account inventory.

5) Operationalize detection, response, and recovery

The program must detect and respond to events, then restore operations ¹.

Action steps:

1. Maintain an incident response plan aligned to your environment (email compromise, credential stuffing, ransomware).
2. Tabletop test scenarios that match enforcement patterns (phishing leading to mailbox access; credential stuffing against customer portals) ⁷.
3. Align recovery plans with business services and define decision criteria for escalations.

Artifacts: IR plan, tabletop agendas and after-action reports, incident severity matrix, recovery runbooks.

6) Implement secure disposal and email retention rules

NYDFS has explicitly treated lack of an email retention policy as a cybersecurity violation in enforcement ⁸. The regulation requires policies and procedures for secure disposal of NPI that is no longer needed, with exceptions where retention is legally required or targeted disposal is not feasible ¹.

Action steps:

1. Create a data retention schedule that covers email, files, collaboration platforms, and backups.
2. Implement technical enforcement (retention labels, auto-deletion, mailbox limits where appropriate).
3. Document legal/regulatory holds and exceptions.

Artifacts: retention and disposal policy, retention schedule, system configurations, legal hold procedures, deletion logs (where available).

7) Third-party risk management tied to access and incidents

NYDFS enforcement has cited third-party failures and poor due diligence as part of program weaknesses ⁶.

Action steps:

1. Classify third parties by access (NPI access, system access, critical service).
2. Contractually require security controls, incident notification duties, and audit rights appropriate to risk.
3. Monitor material changes and adjust risk after incidents (a specific failure theme in enforcement narratives) ⁶.

Artifacts: third-party inventory, risk assessments, due diligence packages, contract templates, monitoring logs, incident post-mortems impacting third-party ratings.

8) Governance: board reporting and certification discipline

Annual governance reporting and certification are high-risk moments. NYDFS has charged improper certifications while violations existed ³.

Action steps:

1. Produce an annual cybersecurity report to the board that covers program effectiveness, material risks, and major incidents ¹.
2. Run certification as a controlled process:
   • Define what “compliant” means for each requirement
   • Require evidence
   • Document exceptions and remediation plans before sign-off

Artifacts: board deck and minutes, certification workpapers, evidence index, exception and remediation attestations.

Public enforcement cases

Use these cases as “what NYDFS will test” checklists, not as abstract cautionary tales.

Case (NYDFS press release)	Penalty	What to learn operationally
Carnival Corporation (June 24, 2022) 9	$5,000,000 9	Multiple events plus improper compliance attestation risk. Treat certification as evidence-based.
OneMain Financial (May 25, 2023) 6	$4,250,000 6	Third-party oversight and access control hygiene. Track vendor due diligence, adjust risk after incidents.
First American Title (Nov 28, 2023) 10	$1,000,000 10	Remediate known vulnerabilities quickly and document decisions. “Found but not fixed” is indefensible.
Genesis Global Trading (Jan 3, 2024) 11	$8,000,000 11	Data disposal and risk assessment discipline. NYDFS will pursue large penalties tied to foundational program gaps.
PayPal (Jan 23, 2025) 12	$2,000,000 12	Credential stuffing and customer data exposure. Mandatory MFA is a prevention control NYDFS expects.
Healthplex (Aug 14, 2025) 8	$2,000,000 8	MFA on Microsoft 365 and email retention policy enforcement. Also highlights timely event reporting expectations.

Enforcement context and risk implications: Across major actions, NYDFS penalties ranged from $1,000,000 to $8,000,000 ¹³. Treat gaps in MFA, risk assessment documentation, secure disposal, and certification support as enforcement-grade findings, not “audit issues” ¹⁴.

Required evidence and artifacts to retain (exam-ready set)

Keep these in a single evidence index (folder structure or GRC system), versioned, with owners.

Core program

• Cybersecurity program documentation mapped to core functions (identify/protect/detect/respond/recover) ¹
• Policies and procedures approved and reviewed on a defined cadence

Risk and remediation

• Current risk assessment + prior versions and change triggers ¹
• Risk register and remediation tracking with due dates and approvals
• Vulnerability and penetration testing outputs and remediation proof (tie to risk assessment)

Identity and access

• MFA policy and configuration evidence
• Access reviews (privileged and NPI systems), exceptions, and terminations

Data governance

• Data retention schedule and secure disposal procedures ¹
• Email retention configuration evidence ⁸

Incident readiness

• Incident response plan, tabletop results, incident log
• Detection coverage summary (logging/SIEM notes, alert runbooks)

Third parties

• Third-party inventory with risk tiers
• Due diligence packages and contracts with security requirements
• Ongoing monitoring and risk score adjustment documentation ⁶

Governance

• Board reporting materials ¹
• Certification workpapers and sign-off package

Common exam/audit questions and hangups

1. “Show me your risk assessment and how it informs the program.” Have a control roadmap that references specific risk findings ¹.
2. “Where is MFA enforced, and where is it not?” Be ready to prove coverage for email and all external access paths ⁷.
3. “How do you dispose of NPI you no longer need?” Examiners will ask for policy plus technical enforcement and exceptions ¹.
4. “How do you manage third parties with access to NPI?” Expect scrutiny after incidents and on whether you adjusted third-party risk ⁶.
5. “How did you support your annual certification?” Prepare an evidence-backed certification binder; improper certifications have been charged ³.

Frequent implementation mistakes (and how to avoid them)

• Treating MFA as “mostly done.” Fix: generate a system-by-system MFA coverage report and track remediation like a control gap ⁷.
• Risk assessment as a PDF nobody uses. Fix: create a “risk finding → control change” table and update it when systems change ¹.
• Over-retaining email and files because Legal “might need it.” Fix: define retention periods by record class, implement legal holds, and enforce deletion where permitted ¹⁵.
• Remediation without deadlines or escalation. Fix: set SLAs by severity and require executive sign-off for overdue items; “known but unfixed” has shown up in enforcement ¹⁰.
• Certifying without a proof package. Fix: require control owners to submit evidence, document noncompliance, and file remediation plans before certification sign-off ⁹.

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

• Confirm Covered Entity status and any applicable exemptions with counsel ¹.
• Build the evidence index and assign owners for each domain (IAM, IR, data retention, third party).
• Produce an MFA coverage inventory for external access and email; open remediation tickets for gaps ⁷.
• Draft or refresh your data retention and secure disposal policy, with an explicit email retention section ¹⁵.

Days 31–60 (implement controls and documentation)

• Complete the documented risk assessment refresh and map findings to the security roadmap ¹.
• Enforce MFA across Microsoft 365/Google Workspace and remote access pathways; eliminate exceptions or document compensating controls ⁸.
• Launch privileged access review cycle and fix shared/admin account issues.
• Update third-party inventory and tiering; ensure high-risk contracts include incident notification and security requirements ⁶.

Days 61–90 (prove it works; prepare governance)

• Run an incident response tabletop for a phishing-to-mailbox-compromise scenario and document corrective actions ⁸.
• Implement technical retention enforcement (labels, auto-delete) and document exceptions ¹.
• Prepare the board cybersecurity report package and build the certification support binder ¹.
• If you need a system to keep evidence current, Daydream can serve as the control-and-evidence workspace so certification packets are assembled from live artifacts rather than last-minute screenshots.

Frequently Asked Questions

Do we have to implement MFA everywhere, or can we rely on “risk-based authentication”?

The regulation permits “Multi-Factor Authentication or Risk-Based Authentication” as an effective control ¹. Enforcement actions repeatedly cite MFA gaps tied to real incidents, so treat MFA for external access and email as your default, and document any alternative with strong evidence ⁷.

Does 23 NYCRR 500 require an email retention policy specifically?

The regulation requires secure disposal policies for NPI that is no longer needed, with defined exceptions ¹. NYDFS has explicitly enforced lack of an email retention policy as a violation in a public case, so you should operationalize retention for email, not only “data” in the abstract ⁸.

What is the biggest “audit trap” with the annual NYDFS certification?

Certifying “compliant” without a complete evidence package and documented exceptions can create separate exposure. NYDFS has charged improper certifications in public enforcement announcements ³.

How do we show the cybersecurity program is “based on a Risk Assessment”?

Keep a traceable chain from risk findings to control decisions: a table that links risks to program changes, funding, and remediation. Maintain prior versions to show updates when systems or business operations change ¹.

We outsource critical systems to third parties. Does that reduce our burden?

No. You still need governance, oversight, and evidence that third-party access to NPI and systems is controlled. Public enforcement has cited third-party management failures and lack of due diligence as program weaknesses ⁶.

What penalty levels should leadership expect if we get this wrong?

Public NYDFS cybersecurity-related penalties in major cases cited here ranged from $1,000,000 to $8,000,000 ¹³. The real risk includes remediation mandates and ongoing supervisory scrutiny, so prevention controls and evidence discipline pay for themselves quickly ⁸.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. 23 NYCRR 500, 2017

2. NYDFS Press Release (January 23, 2025); NYDFS Press Release (August 14, 2025); NYDFS Press Release (May 25, 2023)

3. NYDFS Press Release (June 24, 2022); NYDFS Press Release (August 14, 2025)

4. NYDFS Press Release (January 23, 2025); NYDFS Press Release (November 28, 2023); NYDFS Press Release (August 14, 2025)

5. 23 NYCRR 500, 2017; NYDFS Press Release (August 14, 2025); NYDFS Press Release (January 23, 2025)

6. NYDFS Press Release (May 25, 2023)

7. NYDFS Press Release (January 23, 2025); NYDFS Press Release (August 14, 2025)

8. NYDFS Press Release (August 14, 2025)

9. NYDFS Press Release (June 24, 2022)

10. NYDFS Press Release (November 28, 2023)

11. NYDFS Press Release (January 3, 2024)

12. NYDFS Press Release (January 23, 2025)

13. NYDFS Press Release (November 28, 2023); NYDFS Press Release (January 3, 2024)

14. NYDFS Press Release (January 23, 2025); NYDFS Press Release (August 14, 2025); NYDFS Press Release (June 24, 2022)

15. 23 NYCRR 500, 2017; NYDFS Press Release (August 14, 2025)