The New York State Department of Financial Services first issued 23 NYCRR 500 in 2017 — the first state-level cybersecurity regulation specifically targeting financial services entities. The Second Amendment, finalized in late 2023, significantly expanded both the technical requirements and the governance obligations. The phased compliance deadlines have now passed. DFS is actively examining covered entities against the amended standard.

If you're a Queens or NYC-based registered investment advisor, mortgage broker, insurance company, money transmitter, or any other DFS-covered entity, this isn't a forward-looking planning exercise anymore. It's a current compliance requirement.

Who Is Covered Under 23 NYCRR 500?

The regulation applies to any entity operating under or required to operate under a DFS license, registration, or charter. This is broader than most small financial firms realize. It includes:

DFS-Covered Entity Types

  • Banks and licensed lenders
  • Insurance companies and brokers licensed in New York
  • Mortgage bankers and brokers
  • Money transmitters and check cashers
  • Virtual currency businesses operating under BitLicense
  • Service providers that have material access to covered entities' information systems

Limited exemptions exist for very small covered entities — those with fewer than 20 employees, less than $7.5M in gross annual revenue (for three years), or less than $15M in year-end total assets. But even exempt entities must file a certificate of exemption and meet baseline requirements.

What the Second Amendment Added

The original 2017 regulation established baseline cybersecurity requirements — a CISO designation, annual penetration testing, multi-factor authentication on external-facing systems, and annual certification. The Second Amendment substantially expanded this framework:

⚠️ New governance requirements: The Second Amendment requires board-level cybersecurity oversight — meaning your board (or equivalent senior governing body) must now receive regular cybersecurity program updates, approve the cybersecurity budget, and demonstrate in DFS examinations that governance actually occurs. This is not a check-the-box — examiners will ask for meeting minutes and board materials.

Expanded MFA requirements: Multi-factor authentication is now required on all systems containing nonpublic information — not just external-facing systems. This closes a gap many firms had exploited under the original rule.

Asset management mandate: Covered entities must maintain a documented inventory of all information assets, including hardware, software, and data. This must be kept current — an annual snapshot is not sufficient.

Vulnerability management program: The amendment requires a formal, documented vulnerability management program — including regular scanning, prioritized remediation timelines, and evidence that high and critical findings are addressed within defined windows. Your MSP's quarterly "patch Tuesday" routine does not satisfy this requirement without supporting documentation.

Incident response and business continuity: The amendment tightened incident response plan requirements and added explicit business continuity and disaster recovery testing obligations. Plans must be tested at least annually, and test results must be documented and reviewed by senior leadership.

CISO accountability: The CISO function — whether internal or outsourced — must now report directly to the board or senior governing body at least annually, in a dedicated cybersecurity briefing. Burying it in an operations update doesn't satisfy the requirement.

The Five Gaps We Most Commonly Find

In IT assessments of DFS-covered firms across Queens and the greater NYC metro, the same compliance gaps appear consistently. Knowing these gaps before a DFS examination is the difference between a clean certification and a regulatory finding:

1. MFA not implemented on internal systems. Many firms completed MFA rollout on VPN and external portals but never extended it to internal systems containing NPI — workstations, internal databases, network shares. The Second Amendment closes this loophole.

2. No documented asset inventory. "We know what we have" is not a compliant answer. The regulation requires a formal, current, documented inventory. If you can't produce it on request, you're not compliant.

3. Vulnerability scanning without documented remediation. Running quarterly scans and filing reports satisfies only half the requirement. Documented remediation timelines and evidence of closure are equally required — and frequently absent.

4. CISO function outsourced but not structured for governance obligations. Many small firms use their MSP or IT consultant as a de facto CISO. This is permissible under the regulation — but only if that person is actually producing board-level reports and presenting them to senior leadership in a documented governance process. Informal arrangements don't satisfy the requirement.

5. Annual certification filed without supporting evidence. The annual Certification of Compliance (due April 15) must now be backed by documented evidence that each required control is in place. Filing a certification you cannot substantiate in an examination is a serious compliance risk.

What to Do Before April 15

The annual DFS Certification of Compliance is due April 15 each year. If you have not already completed your compliance review, here is the minimum you need to verify before filing:

Pre-Filing Verification Checklist

  • MFA is enabled on all systems containing NPI — not just external access points
  • A current, documented asset inventory exists and has been reviewed in the past 12 months
  • At least one penetration test was conducted by a qualified third party in the past 12 months
  • Vulnerability scanning results and remediation documentation exist for the past 12 months
  • The CISO (internal or outsourced) has provided a written cybersecurity report to the board or senior leadership in the past 12 months, with documentation
  • The incident response plan has been tested in the past 12 months
  • All third-party service providers with access to NPI have been reviewed for cybersecurity adequacy
  • Staff cybersecurity training was completed and documented for all personnel with NPI access

If you cannot check every one of these boxes with supporting documentation, you have a compliance gap. Filing the certification anyway without correcting the gap is a regulatory risk that DFS examiners are specifically trained to identify.

Need Help Getting DFS-Ready Before the April Deadline?

P-Bon Consulting has helped Queens and NYC financial firms navigate 23 NYCRR 500 compliance since the original 2017 rule. We can assess your current posture, identify documentation gaps, and help you structure your CISO governance obligations — before the certification deadline.

Book Free DFS Compliance Review →

Call: (516) 734-1515