NYDFS Part 500 – cybersecurity regulation

NYDFS Part 500 (23 NYCRR § 500) is the New York Department of Financial Services cybersecurity regulation. It applies to every entity required to operate under a NYDFS license, registration, charter, or similar authorization – banks, insurers, money transmitters, BitLicense holders, mortgage brokers, and any fintech operating through a NYDFS-regulated sponsor bank. It was first effective 2017-03-01 and substantially amended on 2023-11-01 with phased implementation through 2025.

Program design

Section 500.02 requires every covered entity to maintain a written cybersecurity program based on a risk assessment, designed to perform the core cybersecurity functions: identify, protect, detect, respond, and recover. The program must be approved annually by the board or a senior governing body. Section 500.04 requires a designated CISO with periodic written reports to the board on material risks, the effectiveness of the program, material cybersecurity issues, and significant changes since the last report.

Technical controls

• Multi-factor authentication – mandatory for individuals accessing internal networks from external sources; mandatory for privileged accounts; mandatory for remote access to third-party applications holding nonpublic information. Limited exceptions exist with CISO sign-off.
• Encryption – nonpublic information at rest and in transit, or compensating controls reviewed and approved by the CISO at least annually.
• Audit trail – Section 500.06 requires records sufficient to reconstruct material financial transactions and to detect and respond to material cybersecurity events, with retention requirements of three and five years respectively.
• Vulnerability management – penetration tests at least annually and continuous monitoring or bi-annual vulnerability assessments.
• Application security – secure-development procedures for in-house applications and procedures for evaluating externally developed applications.
• Asset inventory – maintained and updated, with key fields identified including owners, data classifications, and end-of-life dates.

Class A entities

The 2023 amendments introduced an enhanced tier. Class A entities (Section 500.1(d)) are covered entities with at least $20M in gross NY revenue AND either over 2,000 employees over the prior two fiscal years OR over $1B in gross revenue across all operations. Additional requirements include independent cybersecurity audits, automated asset-management and password-vaulting tooling, endpoint detection and response, monitoring of privileged-access activity, and stronger logging.

Third-party risk

Section 500.11 requires written policies governing security of nonpublic information accessible to or held by third-party service providers. The covered entity must perform diligence appropriate to the third party's risk, set minimum cybersecurity practices, periodically reassess, and require notification of cybersecurity events. Vendor inventories with current diligence packets, contractual security requirements, and event-notification tracking are recurring exam topics.

Event notifications

Two distinct triggers, both running on tight clocks:

• 72 hours from determining that a cybersecurity event has occurred at the covered entity or a third-party service provider that has a reasonable likelihood of materially harming any material part of operations OR involves a reportable extortion payment OR materially affected the integrity of nonpublic information (Section 500.17(a)).
• 24 hours from any extortion (ransomware) payment, with a written explanation of the reasons within 30 days (Section 500.17(c)).

The 72-hour clock starts at the moment of determination, not detection. Determination procedures – who decides, on what evidence, with what documentation – are themselves an exam topic.

Annual notice of compliance

By April 15 each year, every covered entity must file either a Notice of Compliance (signed by the highest-ranking executive AND the CISO, attesting to compliance with the regulation for the prior calendar year) or an Acknowledgment of Noncompliance identifying the gaps and remediation plan. The notice carries personal accountability for both signatories. Pre-emptive Acknowledgment of Noncompliance is generally treated more favorably by examiners than discovery of an undisclosed gap.

How FinQub supports Part 500

FinQub itself is a third-party service provider to NYDFS-regulated entities. Its posture maps to the Section 500.11 expectations: SOC 2 Type I in progress, hash-chained audit trails, configurable BYOK, jurisdiction-aware residency, and a published sub-processor inventory. The FinQub sub-processor program runs the same notification cadence.

Operationally, the Section 500.06 audit-trail requirement maps directly to FinQub's core primitive. Every workflow execution, vendor call, access decision, and consent event is logged to a tamper-evident chain. Records covering material financial transactions retain for the five-year period; records covering cybersecurity events retain for three years. Examiner queries return the relevant slice of the chain without manual assembly.