The Second Amendment to NYDFS Part 500, finalized on November 1, 2023, is the most sweeping overhaul of New York’s cybersecurity regulation since its original 2017 adoption. It strengthens governance expectations, expands technical controls, and introduces new obligations tailored to the increasing sophistication of cyber threats.
Core purpose and regulatory direction
The amendment responds to the rise in threat‑actor sophistication, the ease of executing cyberattacks, and the availability of stronger cybersecurity controls. The update shifts Part 500 from a principles‑only framework toward a more prescriptive, risk‑tiered model.
Major structural changes
CREATION OF CLASS A COMPANIES
Larger or more complex institutions—based on revenue, assets, or operational scale—are designated as Class A Companies and must implement enhanced controls, including:
- Independent audits of the cybersecurity program
- Endpoint detection and response (EDR)
- Privileged access management (PAM)
- More frequent penetration testing
This tiered approach recognizes that larger entities pose greater systemic risk.
EXPANDED GOVERNANCE AND ACCOUNTABILITY
The amendment strengthens executive and board‑level oversight:
- CISOs must have greater independence and authority.
- Boards must exercise more explicit oversight of cybersecurity risk.
- Senior management must sign more detailed annual certifications or acknowledgments of noncompliance.
These changes elevate cybersecurity to a core governance responsibility.
NYDFS Part 500 establishes explicit governance duties for both the Chief Information Security Officer (CISO) and the Board of Directors, and these duties were significantly strengthened in the 2023 Second Amendment. Together, they form the regulatory backbone for cybersecurity accountability in New York–regulated financial institutions.
CISO responsibilities under Part 500
The regulation requires every covered entity to designate a qualified CISO responsible for overseeing and enforcing the cybersecurity program. The CISO’s obligations include:
Oversight of the cybersecurity program
The CISO must develop, implement, and maintain the cybersecurity program and ensure it aligns with the entity’s risk profile. This includes responsibility for policies, controls, monitoring, and incident response.
Reporting to senior management and the board
The CISO must provide annual written reports to the board or equivalent governing body. These reports must address:
- The cybersecurity program’s overall status
- Material cybersecurity risks
- Material cybersecurity events
- Remediation plans and program improvements
This reporting requirement ensures that cybersecurity is elevated to the highest levels of governance.
Authority and independence
The Second Amendment emphasizes that the CISO must have sufficient authority, resources, and organizational independence to carry out their responsibilities effectively. This includes the ability to escalate issues without obstruction.
Policy approval and oversight
The CISO must help develop and periodically update cybersecurity policies covering areas such as data governance, access controls, asset management, and incident response. These policies must be approved by senior leadership or the board.
Board of Directors responsibilities under Part 500
The board (or equivalent governing body) plays a central role in cybersecurity governance. The regulation assigns several key duties:
Oversight of the cybersecurity program
The board must exercise oversight of the cybersecurity program and ensure that management implements and maintains appropriate controls. This includes reviewing the CISO’s annual report and ensuring that identified risks are addressed.
Approval of cybersecurity policies
Cybersecurity policies must be approved by the board or a senior officer. This requirement ensures that cybersecurity is not treated as an IT-only issue but as an enterprise-wide governance matter.
Accountability for compliance
The Second Amendment strengthens accountability by requiring senior officers to sign annual certifications or acknowledgments of noncompliance. This creates direct responsibility at the highest levels of leadership.
Ensuring adequate resources
Boards must ensure that the cybersecurity program is adequately funded and staffed. This includes supporting the CISO’s independence and ensuring access to necessary tools, personnel, and external expertise.
How the Second Amendment elevates governance expectations
The 2023 revisions significantly expand governance obligations:
- More prescriptive CISO authority: The CISO must have clear responsibility and independence.
- Stronger board oversight: Boards must be more actively engaged in understanding cyber risks and program performance.
- Enhanced reporting: The CISO’s annual report must be more detailed and risk-focused.
- Certification accountability: Senior officers must attest to compliance or acknowledge areas of noncompliance, increasing personal responsibility.
These changes reflect NYDFS’s view that cybersecurity failures often stem from governance failures, not just technical gaps.
Practical implications for regulated entities
- CISOs must operate with greater transparency and authority.
- Boards must develop deeper cybersecurity literacy to fulfill oversight duties.
- Documentation, reporting, and audit trails become more critical.
- Senior leadership faces increased regulatory exposure if governance is weak.
STRICTER TECHNICAL CONTROLS
Several technical requirements are expanded or clarified:
- Multi‑factor authentication (MFA) becomes mandatory for nearly all access pathways, with only narrow exemptions for small entities.
- Asset inventory programs must be comprehensive and documented.
- Incident response and business continuity plans must be more detailed and tested more frequently.
- Logging and monitoring requirements are strengthened to ensure rapid detection and response.
The Second Amendment to NYDFS Part 500 introduces a significantly more prescriptive set of technical cybersecurity controls, reflecting NYDFS’s view that modern threats require stronger, more uniform safeguards. These controls apply to all covered entities, with additional heightened requirements for Class A Companies. The amendments phase in from 2023 through 2025, with several key controls taking effect in 2025.
Core technical controls required for all covered entities
These controls establish a strengthened baseline that every regulated institution must meet, regardless of size.
Multi‑factor authentication (MFA)
NYDFS expands MFA requirements to cover nearly all access pathways, including:
- Remote access
- Privileged accounts
- Third‑party access
- Internal access to systems containing nonpublic information
Only narrowly defined small entities may claim a limited exemption.
Asset inventory management
Covered entities must maintain written procedures for creating and maintaining a complete, accurate inventory of information systems and assets. This includes hardware, software, cloud resources, and data repositories.
Logging, monitoring, and detection
The Second Amendment strengthens requirements for:
- Continuous monitoring
- Centralized logging
- Retention of logs for forensic analysis
- Automated detection of anomalous activity
These controls support faster identification of cybersecurity events and compliance with the 72‑hour reporting window.
Vulnerability scanning and management
As of May 1, 2025, entities must conduct:
- Automated vulnerability scanning
- Manual review when automated scanning is not feasible
- Risk‑based remediation of identified vulnerabilities
These requirements are codified in § 500.5(a)(2).
Access controls and privileged access management
The amendment requires:
- Stronger authentication for privileged accounts
- Restrictions on the number and use of privileged accounts
- Periodic review of access rights
- Technical enforcement of least‑privilege principles
Encryption and secure configuration
Entities must encrypt nonpublic information both in transit and at rest, or use compensating controls approved by the CISO. Secure configuration baselines must be documented and enforced.
Enhanced controls required for Class A Companies
Class A Companies—larger or more complex institutions—must implement additional advanced controls.
Endpoint detection and response (EDR)
Class A Companies must deploy EDR solutions capable of:
- Detecting malicious activity
- Automatically isolating compromised endpoints
- Supporting forensic investigations
Privileged access management (PAM)
These companies must implement PAM solutions that:
- Enforce password vaulting
- Monitor privileged sessions
- Provide just‑in‑time access where feasible
Independent cybersecurity audits
Class A Companies must undergo independent audits of their cybersecurity programs at least annually, ensuring objective validation of compliance and control effectiveness.
More frequent penetration testing
While all entities must conduct penetration testing, Class A Companies must do so more frequently and with greater technical rigor.
Strengthened incident response and business continuity controls
The Second Amendment requires:
- More detailed incident response plans
- Regular tabletop exercises
- Business continuity and disaster recovery plans aligned with cyber‑resilience objectives
- Testing of restoration capabilities, including backup integrity and recovery timeframes
These controls support the expanded incident reporting obligations introduced in the amendment.
How these controls reshape compliance expectations
The technical controls reflect a shift toward:
- Higher baseline security for all entities
- More prescriptive requirements for larger institutions
- Greater emphasis on automation, monitoring, and rapid detection
- Stronger governance through CISO authority and board oversight
- Operational resilience, not just prevention
ENHANCED INCIDENT REPORTING
The amendment expands what must be reported to NYDFS, including:
- Ransomware payments
- Unauthorized access events that could materially harm operations
- Third‑party incidents affecting the covered entity
Reporting timelines and documentation expectations are also tightened.
NYDFS Part 500 imposes some of the most detailed cybersecurity incident reporting obligations in the U.S. financial regulatory landscape. These requirements define what must be reported, when, and how, and they expanded significantly with the 2023 Second Amendment. The result is a multi‑layered framework designed to give regulators early visibility into cyber events that could threaten financial stability or consumer data.
What counts as a reportable cybersecurity event
Part 500 defines a cybersecurity event broadly as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on it.
Within that broad definition, the regulation requires reporting when an event:
- Has a reasonable likelihood of materially harming the normal operations of the covered entity.
- Involves unauthorized access to an information system or nonpublic information.
- Occurs at a third‑party service provider but materially affects the covered entity.
- Involves ransomware, including any ransom payment, which must be reported separately under the 2023 amendments.
This scope captures both direct attacks and incidents arising from vendors, cloud providers, or other external dependencies.
Reporting timelines and required submissions
- 72‑hour initial report
Covered entities must notify NYDFS within 72 hours after determining that a reportable cybersecurity event has occurred. This includes events that are still unfolding or whose full impact is not yet known.
- Ransomware payment reporting
If a ransom is paid, the entity must submit:
- A 24‑hour notice after making the payment.
- A 30‑day follow‑up report explaining why payment was made, alternatives considered, and steps taken to recover systems.
- Supplemental reporting
NYDFS expects ongoing updates as new information becomes available, especially when:
- The scope of data exposure changes
- New threat‑actor behavior is discovered
- Additional systems are found to be compromised
What must be included in an incident report
While NYDFS does not mandate a rigid format, reports typically include:
- Description of the event and timeline
- Affected systems and data
- Whether nonpublic information was accessed or exfiltrated
- Impact on operations
- Steps taken to contain, remediate, and recover
- Involvement of law enforcement or third‑party forensic firms
- Whether the event originated from a third‑party service provider
The 2023 amendments emphasize root‑cause analysis and documentation of corrective actions, reflecting NYDFS’s shift toward more prescriptive oversight.
Governance expectations tied to incident reporting
Incident reporting is not just a technical requirement—it is tied to broader governance duties:
- CISOs must ensure timely escalation of incidents to senior management and the board.
- Boards are expected to understand the nature and impact of reported events.
- Annual certifications now require senior officers to attest to the accuracy of incident reporting practices.
These expectations reinforce that cybersecurity events are enterprise‑level risks, not IT‑only issues.
Practical implications for regulated entities
The incident reporting framework creates several operational demands:
- Rapid detection and triage to meet the 72‑hour window
- Vendor oversight to ensure third‑party incidents are identified and escalated
- Documented playbooks for ransomware scenarios
- Clear internal reporting lines so CISOs can escalate incidents without delay
- Robust logging and monitoring, which the Second Amendment strengthened to support faster incident identification
Entities that fail to report incidents promptly have faced enforcement actions, making compliance a high‑stakes obligation.
Implementation timeline
The Second Amendment phased in requirements through 2025, with some controls—such as MFA and asset inventory programs—taking effect on November 1, 2025.
Practical impact on regulated entities
The amendment significantly raises the baseline for cybersecurity maturity across the financial sector:
- Larger institutions face the most substantial new obligations.
- Smaller entities must still meet strengthened core controls but may qualify for limited exemptions.
- Governance expectations now require deeper board engagement and clearer CISO authority.
- Documentation, testing, and reporting obligations increase across the board.
The result is a more prescriptive, risk‑tiered regulatory regime designed to address modern cyber threats and reduce systemic risk.