Loading…
Trust · NYDFS 500
23 NYCRR Part 500 is the New York State Department of Financial Services cybersecurity regulation governing covered entities — DFS-licensed banks, insurers, mortgage brokers, and other financial institutions. The 2023 amendments tightened multi-factor-authentication requirements, expanded incident-reporting scope, and added governance and risk-assessment expectations.
What it is, what it covers
If your institution is DFS-licensed, 23 NYCRR 500 is binding — not aspirational. Every covered entity must maintain a cybersecurity program, designate a CISO, conduct annual risk assessments, enforce multi-factor authentication on privileged access, encrypt non-public information, and notify DFS within 72 hours of qualifying events.
Prosigns engineers cybersecurity programs and the underlying systems for DFS-licensed institutions with the regulation's requirements treated as architectural constraints rather than compliance checklist items. CITADEL co-pilots every NY-financial-services engagement; the controls are operational from day one and the evidence is collected as a side-effect of normal delivery.
We do not substitute for your CISO or your DFS examiner. We engineer the systems they govern, and we produce the program documentation, risk-assessment evidence, and incident-response runbooks in the form DFS expects.
Scope
Part 500 applies to entities operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. Engagements with NY-licensed financial institutions are scoped against Part 500 from the first architecture review.
Engineering controls
Prosigns engineering practices that produce NYDFS 500-aligned evidence as a side-effect of normal delivery. Each control carries a specific reference where applicable.
Written cybersecurity program covering identification, protection, detection, response, and recovery. Annual review; CISO sign-off retained per the engagement's documentation policy. The program documents map to the institution's risk assessment outputs.
23 NYCRR 500.2 (Cybersecurity program)
Per-engagement and per-institution risk assessment covering threat actors, vulnerabilities, asset inventory, and impact analysis. Findings drive control prioritization; the assessment is updated when material changes occur (new system, new business line, post-incident).
23 NYCRR 500.9 (Risk assessment)
MFA enforced on all access to non-public information from external networks, on all access to internal networks for users from external networks, and on all privileged accounts (per the 2023 amendments). Phishing-resistant MFA (FIDO2 / WebAuthn) where the engagement risk tier requires it.
23 NYCRR 500.12 (Multi-factor authentication, as amended 2023)
Encryption in transit and at rest for non-public information. Where encryption is infeasible, compensating controls are documented and reviewed at least annually by the CISO. Key management policy retained; key-rotation cadence documented.
23 NYCRR 500.15 (Encryption of non-public information)
Third-party service providers with access to non-public information are risk-assessed on engagement; the assessment covers their cybersecurity practices, contractual protections, encryption posture, and access-control discipline. Subprocessor changes trigger re-assessment.
23 NYCRR 500.11 (Third-party service provider security policy)
Documented incident-response procedures with explicit DFS-notification flows. Qualifying events (cybersecurity events likely to result in material harm or those required to be reported to a primary regulator) are reported to DFS within 72 hours. Notification runbook tested annually.
23 NYCRR 500.17 (Notices to superintendent)
On engagements where Prosigns operates the cybersecurity function as a managed service, the engagement nominates a senior engineer reporting in the institution's CISO chain. Annual cybersecurity report to the institution's senior governing body is supported with metric-grounded evidence; the assessment relationship stays with the institution's CISO.
23 NYCRR 500.4 (Chief information security officer)
Audit logs retained per the institution's documented retention policy, with at least 5 years for cybersecurity-event-relevant records (longer where engagement risk tier requires). Log integrity tamper-protected; querying is structured for examiner sample pulls.
23 NYCRR 500.6 (Audit trail)
Honest posture
Prosigns engineering practices are aligned to 23 NYCRR Part 500 with CITADEL co-piloting NY-financial-services engagements. We are not a DFS-licensed entity ourselves; on engagements where Prosigns operates components of the cybersecurity program, we coordinate with your CISO and produce program documentation in the form DFS expects.
Audit pack contents
Engagement-scoped to the NYDFS 500 deliverable. Available on request under NDA, same business day for procurement and InfoSec review.
Where it applies
Services we deliver
Cybersecurity program design, risk assessment, MFA enforcement, encryption discipline.
Open the practiceFinancial-services applications engineered with Part 500 requirements as architectural constraints.
Open the practiceNY-financial-institution cloud topology with documented data-residency and access-control posture.
Open the practiceFrequently asked
No. Prosigns is the system integrator and engineering partner; the DFS license belongs to the institution. We engineer cybersecurity programs and the underlying systems aligned to Part 500 expectations and coordinate with your CISO and DFS examiners on evidence pulls and remediation. The license relationship and DFS reporting accountability stay with the institution.
The major changes: phishing-resistant MFA expanded to all privileged accounts, expanded incident-reporting scope (qualifying ransomware payments now reportable, expanded definition of cybersecurity events), additional governance expectations (board-level oversight, annual risk-assessment review), and tightened CISO independence requirements. Compliance phased in through 2025; we engineer to the post-amendment baseline by default.
Documented notification runbook with explicit decision points for qualifying events. The clock starts at determination that a qualifying event has occurred; the runbook specifies who decides, what evidence is captured, who drafts the notification, and who signs off. Tabletop exercises run quarterly to keep the runbook fresh; a 72-hour window does not survive ad-hoc procedure.
Yes — third-party service providers with access to non-public information are explicitly in scope under §500.11. We get risk-assessed on engagement; the institution maintains the assessment record and re-assesses on subprocessor change. Our cybersecurity practices and contractual protections are documented for the institution's third-party file.
Part 500 has limited exemptions — entities with fewer than 20 employees, less than $7.5M in NY revenue, or less than $15M in year-end total assets get partial relief from specific sections (notably §500.4, §500.5, §500.6). Even exempt entities must maintain cybersecurity programs commensurate with risk; we engineer accordingly when an exemption applies.
They overlap but don't substitute. Part 500's cybersecurity program covers concerns SOX ITGCs and PCI-DSS each address from their own angle. We engineer to the strictest applicable standard per control — typically Part 500's MFA expectations, PCI-DSS's tokenization discipline, SOX's change-management traceability — and document the cross-mapping so a single engagement can present coherent evidence to NY DFS, the external SOX auditor, and the QSA.
Related regulators
Sarbanes-Oxley Act of 2002
SOX 404 IT General Controls for Financial-Reporting Systems
Open the pagePCI Security Standards Council
PCI-DSS Engineering for Payments-Touching Systems
Open the pageBoard of Governors of the Federal Reserve System; OCC Bulletin 2011-12 (parallel guidance)
Federal Reserve SR 11-7 Model Risk Management for ML Systems
Open the pageTalk to us
CITADEL co-pilots every regulated engagement. Senior engineer plus department lead joins the first call. Audit pack on the same business day.