For CISOs, Compliance Officers, and Risk Leaders at NY-Regulated Financial Services
Meet New York's cybersecurity regulation with structured control mapping, CISO certification readiness, third-party service provider oversight, and continuous evidence for the annual filing.
23 NYCRR Part 500 is the New York Department of Financial Services cybersecurity regulation governing banks, insurance companies, and other Covered Entities licensed in New York. The regulation requires a written cybersecurity program, a Chief Information Security Officer, multi-factor authentication, encryption, incident response planning, third-party service provider oversight, and an annual certification of compliance signed by the CISO and a senior officer.
Amendment II (effective November 2023, with phased deadlines through November 2025) significantly expanded the regulation. Class A companies — those with $20M+ in revenue from NY operations and 2,000+ employees — face additional requirements including independent audits, privileged access management, and endpoint detection. Reporting obligations for cybersecurity events and ransomware payments have been expanded across all Covered Entities.
“NYDFS Part 500 is one of the most prescriptive financial cybersecurity regulations in the United States. Amendment II raised the bar — and DFS has shown willingness to enforce it with multi-million dollar consent orders.”
The annual certification is the visible deliverable, but it's the year-round evidence collection that breaks programs. Covered Entities must demonstrate continuous control operation: MFA enforcement, access reviews, vulnerability management, third-party assessments, training completion, and incident response readiness. The certification is a representation that those controls operated all year — not just on the day of the filing.
Third-party service provider oversight is a particular pain point. Section 500.11 requires risk-based assessment of TPSPs handling Nonpublic Information, contractual security requirements, and ongoing oversight. Many programs treat this as a checkbox at vendor onboarding and then lose visibility — a gap DFS examiners have specifically targeted in recent enforcement actions.
Thirdsentry maps your control environment to NYDFS Part 500 sections, identifies coverage gaps, and tracks evidence linkage continuously throughout the certification cycle. The platform's Class A-aware scoping surfaces the additional requirements (Sections 500.5(d), 500.7(c), 500.14(b)) for entities meeting the Class A threshold.
Assessment workflows evaluate control effectiveness against each Part 500 obligation — 500.4 governance, 500.7 access privileges, 500.10 cybersecurity personnel, 500.11 third-party providers — generating findings that flow into the risk register with documented remediation. The evidence collected supports both the annual CISO certification and any DFS examination request.
Third-party service provider oversight runs through the integrated TPRM module. Vendor risk assessments evaluate TPSPs against Part 500 standards, track DPA-equivalent contractual provisions, and document ongoing oversight activities. Vendor Dual-Signal Risk Intelligence with Posture Divergence Detection adds a continuous monitoring layer that DFS examiners are increasingly expecting.
Map controls to all Part 500 sections including Amendment II expansions and Class A-specific requirements.
Continuous evidence collection supports the annual CISO + senior officer certification with a defensible trail.
Class A-aware scoping surfaces additional requirements (independent audits, privileged access management, EDR).
Integrated TPRM with TPSP-specific assessment workflows and Posture Divergence Detection for continuous monitoring.
Structured 72-hour cybersecurity event notification and ransomware payment reporting workflows.
Generate evidence packages and control matrices ready for DFS examination or internal audit review.
Yes. Thirdsentry's Part 500 framework reflects Amendment II in full, including the expanded scope of cybersecurity events, the CISO + senior officer co-certification, the Class A company additions, and the phased deadlines through November 2025.
When you flag your entity as Class A, Thirdsentry surfaces the additional obligations: independent audits, privileged access management, automated blocking of common passwords, and endpoint detection and response. Those controls become first-class assessment items rather than a hidden subset.
Yes. Most NYDFS Covered Entities maintain multiple compliance obligations. Thirdsentry's cross-framework control mapping lets one control implementation satisfy Part 500, SOC 2, and ISO 27001 simultaneously — with one evidence trail rather than three.
See how Thirdsentry automates NYDFS Part 500 control mapping, evidence collection, and gap analysis — so your team focuses on risk decisions, not compliance overhead.