NYDFS 23 NYCRR Part 500
New York's cybersecurity regulation for financial services and regulated entities — including law firms that qualify. We help you understand your obligations and meet them.
NYDFS 23 NYCRR Part 500 applies directly to entities operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization pursuant to New York's Banking, Insurance, or Financial Services Law. Law firms, accounting firms, and MSPs may also face Part 500-driven contractual obligations under §500.11 when serving Covered Entities — meaning your IT controls and documentation may be reviewed by your client's regulator, even if your firm itself isn't directly covered. The 2023 amendments expanded scope and strengthened enforcement. Class A Companies — Covered Entities with at least $20M in gross annual revenue and either 2,000+ employees or $1B+ in global revenue (per §500.1(d)) — face heightened requirements that took effect through 2024–2025. Civil penalties for violations can be substantial. Final applicability should be confirmed by qualified counsel.
Does Part 500 apply to your firm?
Part 500 applies directly to "Covered Entities" — organizations operating under, or required to operate under, a license, registration, charter, or similar authorization from the New York Department of Financial Services. Many firms also face Part 500-driven contractual obligations under §500.11 because they serve Covered Entities. Below are common scenarios — but applicability is fact-specific and should be confirmed with counsel.
Law firms serving NYDFS-regulated clients:
Most law firms aren't Covered Entities themselves, but firms that handle matters for banks, insurers, or other NYDFS-licensed institutions — trust accounts, real estate closings, escrow services, securities work — typically face contractual cybersecurity obligations imposed by those clients under §500.11. Direct coverage applies only if the firm itself holds a NY banking, insurance, or financial services authorization.
Accounting and CPA firms:
CPA firms holding a NY-licensed financial adviser registration may be directly covered. More commonly, firms acting as fiduciaries, managing client investment accounts, or contracted as service providers to NYDFS-regulated institutions face §500.11 obligations from their clients. Direct coverage and third-party obligations carry different requirements — applicability should be confirmed with counsel.
IT vendors and MSPs serving covered entities:
If your clients are covered entities, Part 500 requires them to impose cybersecurity contractual obligations on you as a third-party service provider. This means your IT controls matter to your clients' regulators.
Small Covered Entities — limited exemption:
Per §500.19(a), a Covered Entity may qualify for a limited exemption from certain Part 500 requirements if it has fewer than 20 employees and independent contractors (including affiliates), less than $7.5M in gross annual revenue in each of the last three fiscal years, or less than $15M in year-end total assets. A Notice of Exemption must be filed electronically with NYDFS within 30 days of the determination. Thresholds reflect the November 2023 amendment.
Not sure if you qualify? We include a preliminary applicability determination in our Part 500 Readiness Assessment. Many firms are surprised to learn they're covered — or that they need to comply on behalf of a covered entity client. Schedule a call to find out →
Part 500 core requirements.
The 2023 amended rule added significant new obligations. Here's what covered entities must have — and how we address each requirement.
| Section | Requirement | What it means in practice | How Sentinel South addresses it |
|---|---|---|---|
| §500.2 | Written cybersecurity policy, board-approved | Documented policy covering 14 specified areas, reviewed annually | Policy development + annual review included in Compliance tier |
| §500.3 | Designated CISO (internal or outsourced) | Named accountable security officer who reports to senior leadership | Fractional vCISO service — named officer, quarterly reports |
| §500.4 | Penetration testing | Annual pen test + bi-annual vulnerability assessments (Class A: annual) | Coordinated via qualified third-party partner |
| §500.5 | Vulnerability management program | Continuous monitoring, timely patching, documented remediation | 24/7 RMM monitoring + automated patching in all managed plans |
| §500.6 | Audit trail / log retention | Security event logging with 3-year retention for forensic purposes | M365 audit log management + SIEM guidance |
| §500.7 | Access controls and MFA | MFA required for all access to information systems; privilege management | MFA enforcement + conditional access in Premium and Compliance tiers |
| §500.9 | Risk assessment | Annual documented risk assessment covering confidentiality, integrity, availability | Annual risk assessment included in Compliance tier |
| §500.10 | Cybersecurity personnel and training | Qualified cybersecurity staff or outsourced function; annual training | Security awareness training + phishing simulation (Compliance tier) |
| §500.11 | Third-party service provider security | Written policies for vendors; contractual security requirements in vendor agreements | Third-party vendor review + BAA/security contract guidance |
| §500.12 | Multi-factor authentication | MFA for any access from external networks; privileged access always | Enforced via Conditional Access + Intune in Premium/Compliance |
| §500.14 | Monitoring and training | Cybersecurity awareness training for all personnel; monitoring for unauthorized access | Managed SAT + ITDR monitoring |
| §500.16 | Incident response plan | Written IRP, tested annually, with 72-hour NYDFS notification requirement for reportable events | IRP development + annual tabletop exercise in Compliance tier |
| §500.17 | Annual certification | Annual compliance certification filed with NYDFS by April 15 | Annual compliance attestation letter; certification support |
Start with a Part 500 Readiness Assessment.
A structured, documented assessment of your current IT environment against the 23 NYCRR Part 500 requirements — delivered as a written gap report with prioritized remediation recommendations.
Applicability determination — written confirmation of your Part 500 coverage status and applicable exemptions, if any
Section-by-section gap analysis — current state vs. requirement, with a RAG status (red/amber/green) for each of the 23 sections
Prioritized remediation roadmap — what to fix first, estimated effort, and whether each item is in-scope for our managed services
Written findings report — suitable for review by your legal counsel, board, or regulators
60-minute debrief call — we walk your principals and/or IT counsel through the findings, answer questions, and discuss remediation approach
NYDFS has become one of the most active state-level cybersecurity regulators in the country. Since 2017, it has levied penalties against firms including First American Financial ($1M), Robinhood ($30M), and multiple insurance companies for Part 500 violations. The 2023 amendments introduced stricter timelines and new mandatory controls. The April 15 annual certification is not optional — and certifying falsely carries additional risk.
Our Compliance tier ($229/user/month) is designed to maintain Part 500 compliance on an ongoing basis — not just pass an assessment and forget about it. It includes the technical controls, documentation, training, and reporting that regulators look for.
Annual risk assessment + vulnerability scanning
MFA enforcement + Conditional Access for all users
Security awareness training + phishing simulation
Written incident response plan + annual tabletop
Annual compliance attestation letter for your April 15 filing
From assessment to certification.
Assessment & applicability review
We determine your coverage status, identify which sections apply, and document your current posture against each requirement. Delivered as a written report.
Gap remediation
We implement the technical controls required by Part 500 — MFA enforcement, access controls, patching, log retention, encrypted backups, and endpoint security. This is the hands-on engineering work.
Policy and documentation
We draft or update your cybersecurity policy, incident response plan, and vendor security policy to meet the written documentation requirements. Your counsel reviews for legal adequacy — we handle the technical substance.
Training and awareness
Security awareness training deployed to all personnel, with phishing simulations and completion tracking. The regulation requires documented training — we produce the records.
Annual certification support
We produce your annual compliance attestation letter and evidence package prior to the April 15 NYDFS filing deadline. Ongoing quarterly reporting in Compliance tier.
We serve NY-market law firms and accounting practices specifically. We understand NYDFS Part 500 as a practitioner framework — not as a checklist to sell consulting hours against. Our managed services are built to satisfy the ongoing technical requirements, and our Compliance tier includes the documentation and reporting layer that regulators look for at audit.
We carry professional liability (E&O) and cyber liability insurance, and we provide certificates of insurance during the vendor security review process required by §500.11. Request at Compliance@SentinelSouth.com.
We provide IT implementation and documentation services — not legal advice. For a determination of your regulatory obligations under New York law, consult qualified counsel. We work alongside your legal team, not instead of them.
Not sure if Part 500 applies to your firm?
That's the most common question we hear — and the right place to start. We'll give you a straight answer in the first conversation, at no charge.