Priority Email & Tech Support. Our U.S. based priority support team delivers direct access for immediate resolution of IT issues. No ticket queues.
New York Department of Financial Services (NYDFS) Cybersecurity Regulation: 23 NYCRR Part 500 Getting Started Guide 2025
New York Department of Financial Services (NYDFS) Cybersecurity Regulation: 23 NYCRR Part 500 Getting Started Guide 2025
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) mandates that entities operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, Insurance Law, or Financial Services Law must establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of the financial services industry. These entities are collectively referred to as “Covered Entities.”
Who qualifies as an exemption entities?
Entities that qualify for a full exemption are entirely exempt from the requirements of the Cybersecurity Regulation. However, they must file a Notice of Exemption with the NYDFS within 30 days of determining that they qualify. Exemption entities are as follows:
Employees, agents, representatives, or designees of a Covered Entity, provided that they are covered by the cybersecurity program of that entity.
An entity can be exempt if it is an employee, agent, designee, or wholly owned subsidiary of another DFS-regulated business, and all aspects of its operations are fully covered by that parent entity’s cybersecurity program.
Inactive individual insurance brokers who do not maintain, control, or use any information systems and do not possess any nonpublic information.
500.19(e): Exemption for an inactive individual insurance broker who does not maintain or control any information systems or nonpublic information, and has not engaged in soliciting or placing insurance for at least one year.
Certain other entities, such as charitable annuity societies and risk retention groups not chartered in New York, provided they do not otherwise qualify as Covered Entities
500.19(g): Entities such as charitable annuity societies, individual insurance agents in inactive status, accredited reinsurers, or similar entities may qualify for a full exemption if they don’t otherwise fall under Part 500
What is required for non-exempt covered entities?
If your entity is considered non-exempt from CRR Part 500 regulation, your organization will need to adopt a comprehensive cybersecurity program which meets a series of requirements and is certified each year by a CISO (Chief Information Security Officer) who is qualified and appointed by the board. (Section 500.04) and (Section 500.17).
Certifying your entity each year is a complex task and will requires a CISO or vCISO with first hand knowledge of your network and all the IT systems connected to resources within your network.
The cybersecurity program adopted must be based on your risk assessment, also to be conducted periodically. (Section 500.09) and (Section 500.03)
Let's Review the cyber program requirements.
If your entity is considered non-exempt from CRR Part 500 regulation, your organization will need to adopt a comprehensive cybersecurity program which meets a series of requirements and is certified each year by a CISO (Chief Information Security Officer) who is qualified and appointed by the board. (Section 500.04) and (Section 500.17).
Certifying your entity each year is a complex task and will requires a CISO or vCISO with first hand knowledge of your network and all the IT systems connected to resources within your network.
The cybersecurity program adopted must be based on your risk assessment, also to be conducted periodically. (Section 500.09) and (Section 500.03)
At a minimum, the policies included in your adopted cybersecurity program should include:
- Systems and Network Security Policy (WISP)
- Business continuity and disaster recovery plan (BCDR/DRP)
- Access Controls and Identity Management Policies
- Incident Response Policies and Breach Notification Procedures (IRP)
23 CRR-NY 500.02 (Section 500.02)
Your CISO will need to implement technical controls to protect nonpublic-information contained within your IT systems which include at a minimum:
- Encryption of Nonpublic Information in Transit and at Rest (Section 500.15)
- Multifactor Authentication and RBAC (Section 500.07)
- Monitoring of network and IT systems (IDS/IPS,SIEM) (Section 500.06) (Section 500.05)
- Annual cybersecurity awareness training (Section 500.14)
Third-party vendors will need to have due diligence conducted and adhere to the same cybersecurity standards defined in your cybersecurity program, such as forcing MFA when connecting to your company VPN, or email accounts. (Section 500.11)
This is a high level overview of the requirements, but a full checklist of regulations can be downloaded here.
Resources for Meeting Compliance:
A great place to start is the DFS Resource Center.
At SES, we do more than just offer free risk assessments for new clients, we provide a personalized 1-on-1 consultation to help you understand exactly how your organization aligns with NYDFS Cybersecurity Regulation (23 NYCRR 500). Whether you fall under full exemption, limited exemption, or are a non-exempt Covered Entity, our experts will walk you through your compliance status.
We specialize in delivering tailored cybersecurity programs and tools designed specifically for mortgage lenders and insurance firms, helping you protect sensitive data and meet regulatory requirements with confidence.
Technical Information
TLDR; 23 NYCRR Part 500 is a regulation for non exempt covered entities in NY requiring various technical controls, policies, a cyber program, and administrative controls.
Service Information
Control Type
State Regulation
Industry
Financial Services
Enforced by
New York State Department of Financial Services
Regulatory Information
Certify By
April 15th, Annually
Documentation
DFS Resource Center
DFS Resource Center
Expert guidance on strategic tech adoption from a team with 14 years in the MSP space.
- How Everything Works Together
Integrating Your Security Ecosystem
Think of your cyber program as a living ecosystem. Every tool, technical control, and policy is tailored based upon your risk, budget, and regulatory posture. This creates defense in depth with a goal to lower your attack vectors and provide real time monitoring of threats and bad actors within your network.
- Financial Services
- Healthcare
- Legal
Financial Services
- Cybersecurity,
- Compliance
Optimize IT spend while scaling securely in high-stakes environments.
Our solutions for financial institutions are designed to reduce risk, secure sensitive data, and enable scalable, compliant growth. We bring structure, visibility, and accountability to every layer of your cybersecurity and infrastructure strategy.
Strategic prevention. Multi-layered defense that protects users, data, and systems.
Financial Data Protection
Our team has vast experience with NYSDFS 23 NYCRR Part 500 and 200. From implementing IT systems with documentations and logs that prove compliance, to providing expertise as your vCISO to the senior board, we ensure that your organization remains secure, audit ready, and risk free.
Risk Reduction Strategies
We evaluate the availability, functionality, and integrity of your existing cybersecurity program by conducting a vulnerability assessment. We work to minimize risks by reducing the attack surface and implementing 24/7 alerting to stay ahead of patterns and behaviors that may indicate a bad actor or threat is being attempted on your network, or from a malicious email.
Hardened Infrastructure
We design and maintain secure, high-performance IT environments that protect critical systems without compromising speed. From firewalls and segmentation to patching and access controls, every component of your infrastructure is built for endurance, reliability, and regulatory confidence.
Strategic Leadership
We can be leveraged to provide the roadmaps, oversight, and executive accountability you need to build a mature, compliant, and effective security ecosystem. Our staff includes a certified Encompass Administrator with deep expertise in the mortgage industry.
Priority Email & Tech Support
Our U.S.-based priority support team delivers direct access to senior engineers for immediate resolution of IT or cybersecurity issues. No ticket queues. No waiting. Just fast, reliable, white glove support when it counts most. Our team works as an extension of your company, with support only a text away to resolve most tech issues.
Email Encryption / Security
Email is still the #1 attack vector. Explore solutions for SMARC, SPF, DKIM, encryption for outbound / inbound emails, spam filtering, and malware protection.
Antivirus & Endpoint Protection
EDR (Endpoint Detection & Response) tools to stop malware, ransomware, and zero-day attacks in real time.
Regulatory Expertise
Deep understanding of the complex compliance landscape in finance.
Zero Trust Architecture
Controls that deny any unknown devices from accessing company resources. Controls to enforce location based logins, cyber baselines on devices, and advanced logging.
Multifactor Authentication
Multifactor adds an additional layer of security to your accounts, helping to prevent phishing attempts or leaked passwords from leading to breaches.
Data Protection
Testing applications, shared data on your network, the way network devices transmit data, and their connections to third party applications.
Request an Advanced Security Assessment
Every control reinforces the next, building a cohesive security ecosystem that stops breaches cold.
Healthcare
1+
Priority Email & Tech Support. Our U.S. based priority support team delivers direct access for immediate resolution of IT issues. No ticket queues.
Protecting the Data That Powers Care.
In healthcare, every second matters. Every byte of data carries a legal and ethical responsibility. Healthcare organizations need secure, compliant, and always-on IT systems that enable care without interruption.
Strategic prevention. Multi-layered defense that protects users, data, and systems.
Patient Data Protection
Protecting Protected Health Information (PHI) is at the heart of modern healthcare compliance. We deploy multi-layered data protection, encryption, and access control systems that meet HIPAA and HITECH standards.
Risk Reduction Strategies
We evaluate the availability, functionality, and integrity of your existing cybersecurity program by conducting a vulnerability assessment. We work to minimize risks by reducing the attack surface and implementing 24/7 alerting to stay ahead of patterns and behaviors that may indicate a bad actor or threat is being attempted on your network, or from a malicious email.
Highly Available Infrastructure
We design and maintain secure, high performance IT environments that protect critical systems without compromising speed. From firewalls and segmentation to patching and access controls, we create a hardened infrastructure that keeps patient care systems operational and isolated from risk.
Zero Drift Compliance
Our zero drift compliance model ensures ongoing alignment with HIPAA, HITECH, and NIST 800-53 standards through continuous monitoring, policy documentation, and control verification.
Priority Email & Tech Support
Our U.S. based healthcare IT support team delivers priority level response for both cybersecurity and system performance issues.
Email Encryption / Security
Email is still the #1 attack vector. Explore solutions for SMARC, SPF, DKIM, encryption for outbound / inbound emails, spam filtering, and malware protection.
Antivirus & Endpoint Protection
EDR (Endpoint Detection & Response) tools to stop malware, ransomware, and zero-day attacks in real time.
Highly Available Infrastructure
Scalable, high availability IT infrastructure built for healthcare operations.
Zero Trust Architecture
Controls that deny any unknown devices from accessing company resources. Controls to enforce location based logins, cyber baselines on devices, and advanced logging.
Multifactor Authentication
Multifactor adds an additional layer of security to your accounts, helping to prevent phishing attempts or leaked passwords from leading to breaches.
Data Protection
Testing applications, shared data on your network, the way network devices transmit data, and their connections to third party applications.
Request an Advanced Security Assessment
Every control reinforces the next, building a cohesive security ecosystem that stops breaches cold.
Healthcare Cyber Compliancy
Federal Laws
HIPAA
United States Federal Law
HITECH
United States Federal Law
State Cybersecurity Regulations
NYCRR Section 405.46
New York State Department of Health
Frameworks
NIST 800-53
Information Security Standard
SOLOS: a program review conducted by our firm on your existing cybersecurity program. We can be leveraged as your vCISO to identify and fix gaps in your operations.
Legal
1+
Priority Email & Tech Support. Our U.S. based priority support team delivers direct access for immediate resolution of IT issues. No ticket queues.
- Cybersecurity,
- Compliance
Safeguarding Confidentiality, Compliance, and Client Confidence.
We deliver IT and cybersecurity solutions engineered for law firms and legal practices, designed to protect privileged data, support compliance with client and regulatory mandates, and keep your systems available around the clock.
Protect privilege. Safeguard confidentiality.
Client Data Protection
We deploy encryption, endpoint protection, and the ability to perform secure file transfer systems to ensure sensitive client communications, contracts, and discovery materials remain protected at every stage.
Risk Reduction Strategies
We evaluate the availability, functionality, and integrity of your existing cybersecurity program by conducting a vulnerability assessment. We work to minimize risks by reducing the attack surface and implementing 24/7 alerting to stay ahead of patterns and behaviors that may indicate a bad actor or threat is being attempted on your network, or from a malicious email.
Our approach focuses on data access, user behavior, and vendor integrations, helping your team maintain availability, integrity, and confidentiality at every level of operation.
Hardened Infrastructure
We design and maintain secure, high performance IT environments that protect critical systems without compromising speed. Your network, document systems, and remote connections are locked down and optimized for secure collaboration.
Zero Drift Compliance
Keeps your systems, policies, and vendors aligned with ABA guidelines, client data clauses, and evolving cybersecurity mandates. You stay audit ready and compliant by default.
Priority Email & Tech Support
Our U.S. based healthcare IT support team delivers priority level response for both cybersecurity and system performance issues. We have expertise with secure collaboration tools for hybrid and remote legal teams.
Email Encryption / Security
Email is still the #1 attack vector. Explore solutions for SMARC, SPF, DKIM, encryption for outbound / inbound emails, spam filtering, and malware protection.
Antivirus & Endpoint Protection
EDR (Endpoint Detection & Response) tools to stop malware, ransomware, and zero-day attacks in real time.
Highly Available Infrastructure
Scalable, high availability IT infrastructure built for healthcare operations.
Zero Trust Architecture
Controls that deny any unknown devices from accessing company resources. Controls to enforce location based logins, cyber baselines on devices, and advanced logging.
Multifactor Authentication
Multifactor adds an additional layer of security to your accounts, helping to prevent phishing attempts or leaked passwords from leading to breaches.
Data Protection
Testing applications, shared data on your network, the way network devices transmit data, and their connections to third party applications.
Request an Advanced Security Assessment
Every control reinforces the next, building a cohesive security ecosystem that stops breaches cold.
Legal Cyber Compliancy
Federal Laws
GDPR
General Data Protection Regulation
Frameworks
ABA cybersecurity guidelines
Information Security Standard
SOLOS: a program review conducted by our firm on your existing cybersecurity program. We can be leveraged as your vCISO to identify and fix gaps in your operations.