NYDFS 500
NYDFS Part 500 (New York Department of Financial Services Cybersecurity Regulation)
Banks, insurers, mortgage companies, and other DFS-licensed financial entities operating in or doing business with New York.
Annual certification deadline (April 15), the November 2023 amendments to Part 500 phase-in, or a DFS examination cycle.
Documented cybersecurity program, CISO reporting to the board, annual penetration testing, MFA, encryption, incident reporting (72 hours). The 2023 amendments significantly raised the bar for larger covered entities.
Brings the CISO directly into board reporting cycles; legal and risk are involved on every material change. NY enforcement actions have real teeth.
Functions as a quasi-national standard for US financial services because NY-licensed entities are most of them. Sold as the regulatory baseline that NY makes mandatory and that other states are quietly emulating.