- Regulator
- New York State Department of Financial Services (DFS)
- Citation
- 23 NYCRR Part 500 — Cybersecurity Requirements for Financial Services Companies
- Applies to
- DFS-licensed “Covered Entities” — banks, insurers, mortgage and lending firms, and other regulated financial businesses
- Governance
- A qualified CISO and oversight by the board or a senior governing body
- Cadence
- Annual certification of compliance filed with DFS
- AI dimension
- DFS guidance has clarified that existing Part 500 obligations extend to AI-related cyber risk
01What it is
Part 500 is the cybersecurity regulation issued by the New York Department of Financial Services. It requires every Covered Entity to run a documented cybersecurity program built on a written risk assessment, with policies approved by the board or a senior governing body, a qualified Chief Information Security Officer, and a defined set of technical and organizational controls.
An amended version of the rule — finalized in late 2023 and phased in through 2024 and 2025 — raised the bar further: stronger governance and board reporting, multi-factor authentication across the business, asset and access management, independent testing, an incident-response and business-continuity plan, and prompt notification to DFS after a qualifying cybersecurity event. Each year, a senior officer or the governing body must certify the program’s compliance — or formally acknowledge where it falls short.
02Who it applies to
If your company operates under a DFS license, registration, or charter, you are almost certainly a Covered Entity. That includes insurers and producers, banks and trust companies, mortgage servicers, lenders, and a wide range of financial businesses operating in New York. Smaller firms may qualify for limited exemptions from specific provisions, but those exemptions are narrow — the core obligations around risk assessment, governance, and certification still apply.
For mid-market insurers and fintechs, the practical challenge is rarely understanding the rule. It is producing, maintaining, and being able to show the evidence — year after year — without a large internal security team.
03Where AI fits in
DFS has been among the most direct regulators on artificial intelligence. Its guidance makes clear that AI does not sit outside Part 500: AI-enabled social engineering and deepfakes, the expanded attack surface created by adopting AI tools, and the risks introduced by AI-reliant third parties all fall within a Covered Entity’s existing obligations to assess risk, train staff, and govern vendors. In practice, your risk assessment, your policies, and your board reporting now need an AI dimension — not as a separate exercise, but woven into the program you already certify.
04What RedOps delivers
RedOps builds and operates the Part 500 program end to end, with the AI dimension built in from the start rather than bolted on later.
- A written risk assessment that drives the program — including AI-related risk
- A board-approved cybersecurity policy stack mapped to the regulation’s requirements
- A fractional CISO function and the senior-governing-body reporting the rule expects
- MFA, access management, and control remediation prioritized by risk
- An evidence repository structured for the annual certification
- BEC, ransomware, and AI-social-engineering tabletop exercises
- The annual certification package and a board briefing on AI cyber risk