NYDFS 23 NYCRR Part 500
the New York cybersecurity rule for financial covered entities, and how to meet it
23 NYCRR Part 500 is the New York Department of Financial Services (NYDFS) cybersecurity regulation. Every NYDFS-regulated bank, insurer, and money transmitter operating in New York is a "Covered Entity" and must run a written cybersecurity program with named accountability, tested controls, and reportable incidents.
The Second Amendment, finalized November 1, 2023, phased in new obligations through November 1, 2025. The most consequential for engineering and security teams: §500.5(b) requires automated vulnerability scanning effective May 1, 2025, §500.3 mandates application-security and secure-SDLC policies, and §500.17 keeps the 72-hour cybersecurity-event notification window. This page explains how to satisfy each requirement.
A financial-sector rule with teeth, deadlines, and personal accountability
Part 500 is enforceable law, not a voluntary framework. NYDFS has brought multiple enforcement actions and levied multi-million dollar penalties for inadequate controls and late or missing notifications. Covered Entities must file an annual certification of material compliance, and the regulation now requires senior-officer or board sign-off on the program and on key policies (§500.4, §500.17).
The Second Amendment sharpened the technical bar. §500.5(b) moved vulnerability management from a vague expectation to a concrete requirement: automated scans, plus manual review of anything automation cannot cover, at a cadence driven by your risk assessment, backed by documented and annually approved vulnerability- and patch-management policies. §500.3 forces application security and secure SDLC into the written program rather than leaving them to engineering discretion.
The reporting clock is unforgiving. A reportable cybersecurity event must reach NYDFS within 72 hours (§500.17(a)), and the amendment added notice for ransomware deployment and extortion payments. Meeting Part 500 is as much about provable process and evidence as it is about tooling.
Find it before attackers do. Catch it if they try. Fix it fast.
Across these requirements, O3 runs one continuous loop on your own software so issues surface, get caught, and get fixed before they become an incident.
Test like an AI-assisted attacker
An agentic pentest probes your app across 50+ vulnerability classes the way a real attacker chains them, so exploitable flaws surface in your build before someone outside finds them.
Detect and block exploitation at runtime
A kernel-level eBPF agent watches process trees and syscalls, recognises an attack sequence as it unfolds, and restricts the offending process on the spot rather than taking down the host.
Auto-patch what is reachable
Reachability ranks what genuinely matters, then autofix opens a pull request with the change, so remediation starts inside tight fix windows instead of sitting in a queue.
How to meet the automated vulnerability scanning requirement
Effective May 1, 2025, §500.5(b) requires automated scans of information systems to detect known vulnerabilities, plus a manual review of systems that automated tools cannot cover, on a cadence set by your risk assessment. Detection alone is not enough: §500.5(c) requires timely remediation based on risk.
O3 covers the automated-scan obligation across code and dependencies with SAST, SCA, agentic DAST, and secret scanning, then ranks findings by function-level reachability plus EPSS and KEV so remediation effort maps to real exploitability rather than CVSS noise.
How to build the secure SDLC and application-security policy
§500.3 requires written cybersecurity policies approved by a senior officer or the governing body, explicitly covering systems and application security, the software development lifecycle, and quality assurance. This pushes appsec from informal practice into documented, auditable policy.
O3 operationalizes the SDLC policy: SAST taint analysis (source to sink, interprocedural), SCA against OSV, malicious-dependency detection for typosquats and compromised maintainers, and CycloneDX SBOM generation give engineering provable application-security evidence inside the pipeline.
How to meet the 72-hour incident reporting obligation
§500.17(a) requires notice to the Superintendent within 72 hours of determining a reportable cybersecurity event has occurred. The Second Amendment added separate notice for ransomware deployment in a material part of systems and for extortion payments, plus an annual certification or acknowledgment of compliance.
O3's eBPF runtime agent builds kernel process trees and detects attack chains, and its L7 deep packet inspection flags exfiltration and DNS tunneling. These shorten time-to-determination, which is what actually starts the 72-hour clock.
How to establish CISO oversight and risk assessment
§500.4 requires a qualified CISO who reports in writing at least annually to the senior governing body on the program and material risks. §500.9 requires a periodic written risk assessment that drives the design of controls, including scanning cadence and access rules.
How to satisfy MFA and access-privilege controls
§500.12 requires multi-factor authentication for any individual accessing the Covered Entity's information systems, with limited risk-based exceptions approved in writing by the CISO. §500.7 requires least-privilege access, periodic access reviews, and privileged-account controls.
How to handle asset inventory, monitoring, and training
§500.13 requires written asset-management and data-retention policies, including a documented inventory of information systems. §500.14 requires monitoring and detection controls, including endpoint detection and response capabilities, plus regular cybersecurity awareness training.
O3's eBPF runtime agent (no sidecars) provides kernel-level process and syscall visibility and dynamic per-PID blocking, supporting the continuous-monitoring and detection expectations of §500.14.
Every core Part 500 requirement and how a Covered Entity meets it
All 22 requirement areas, each with the reference and a vendor-neutral note on how teams meet it.
Turn Part 500 vulnerability management into provable evidence
§500.5(b) wants automated scanning and §500.3 wants a real secure-SDLC policy. O3 runs SAST, SCA, agentic DAST, and secret scanning, ranks findings by reachability plus EPSS and KEV, and produces CycloneDX SBOMs so your NYDFS evidence is concrete, not aspirational. See how O3 maps to your Covered Entity program.
Read it on dfs.ny.govSee O3 Security in Action
See why security and engineering leaders trust O3
to secure their entire software supply chain.