If your fintech operates under a New York banking, insurance, or financial services license, the New York Department of Financial Services Cybersecurity Regulation—23 NYCRR Part 500—applies to you. And as of November 1, 2025, the final phase of its Second Amendment is fully in effect.

This is not a future compliance consideration. It is a current legal obligation with active enforcement, meaningful fines, and personal liability provisions that extend to your CEO and CISO. Robinhood paid $30 million under this regulation. EyeMed paid $4.5 million. OneMain Financial paid $4.25 million. These were not edge cases. They were enforcement outcomes against entities that DFS determined had not implemented controls the regulation required.

This article covers what Part 500 actually requires, what the Second Amendment changed, and where fintechs are finding the most significant compliance gaps in 2026.

Who Must Comply

Part 500 applies to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. This includes fintech companies licensed as money transmitters, lenders, payment processors, and insurance providers in New York.

There are limited exemptions for very small entities under Section 500.19. The limited exemption applies to entities with fewer than 20 employees and independent contractors, less than $7,500,000 in gross annual revenue in each of the last three fiscal years, or less than $15,000,000 in year-end total assets. These thresholds are specific and cumulative—meeting any one of them qualifies for the limited exemption. However, even exempt entities are not fully exempt from all requirements. An entity that believes it qualifies must file a Notice of Exemption electronically within 30 days of that determination, because DFS examiners will ask.

The Core Program Requirements

Section 500.2 requires every covered entity to maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems and nonpublic information. The program must be based on the entity's own risk assessment and must perform six core functions: identifying and assessing cybersecurity risks, using defensive infrastructure and policies to protect systems, detecting cybersecurity events, responding to and mitigating identified events, recovering from events and restoring operations, and fulfilling applicable regulatory reporting obligations.

Section 500.3 requires a written cybersecurity policy approved at least annually by a senior officer or the senior governing body. The policy must address information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery, systems and network security, security awareness and training, application security, physical security, customer data privacy, vendor management, risk assessment, incident response, and vulnerability management.

What the Second Amendment Changed

The Second Amendment became effective November 1, 2023 and rolled out in phases through November 1, 2025, when the final requirements took effect. The most significant changes now fully in effect are the following.

Cybersecurity Governance and the CISO Requirement

Section 500.4 requires every covered entity to designate a Chief Information Security Officer responsible for overseeing and implementing the cybersecurity program and enforcing its cybersecurity policy. The CISO may be employed directly by the covered entity, by one of its affiliates, or through a third-party service provider. If a third-party CISO is used, the covered entity must retain responsibility for compliance, designate a senior internal person responsible for direction and oversight of the third-party provider, and require the provider to maintain a cybersecurity program that protects the covered entity in accordance with Part 500.

This means a fractional vCISO arrangement fully satisfies the Part 500 CISO designation requirement, provided the governance structure and oversight responsibilities are clearly documented. The CISO must report in writing at least annually to the senior governing body on the cybersecurity program, covering the confidentiality of nonpublic information, cybersecurity policies and procedures, material cybersecurity risks, overall program effectiveness, material cybersecurity events during the reporting period, and plans for remediating material inadequacies.

MFA for All User Access to All Information Systems

Section 500.12 is generating the most compliance work in 2026. Under the original regulation, MFA was required for remote access and privileged accounts. Under the Second Amendment, which took full effect November 1, 2025, MFA is now required for any individual accessing any information systems of a covered entity. This means every user, accessing any system, must be authenticated with MFA—including internal access from within the network.

There is a limited exemption pathway. Entities that qualify for the small entity exemption under Section 500.19(a) are only required to implement MFA for remote access to information systems, remote access to third-party applications including cloud-based applications from which nonpublic information is accessible, and all privileged accounts other than service accounts that prohibit interactive login.

If the covered entity has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls in place of MFA. Those compensating controls must be reviewed at minimum annually. Covered entities without a CISO do not have this option available to them—which is one of the practical reasons a CISO designation is essential, not just a governance formality.

Asset Inventory

Section 500.13 requires covered entities to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of their information systems. The inventory must track, at minimum, the owner, location, classification or sensitivity, support expiration date, and recovery time objectives for each asset. The policies must specify the frequency required to update and validate the inventory. NYDFS brought an enforcement action against a cryptocurrency company in 2024 specifically for failure to maintain an appropriate asset inventory, signaling this requirement will be actively enforced.

Incident Response and Business Continuity

Section 500.16 requires written plans that include both an incident response plan and a business continuity and disaster recovery plan. The incident response plan must address the goals of the plan, internal response processes, clear roles and decision-making authority, internal and external communications, remediation requirements, documentation and reporting, recovery from backups, root cause analysis, and procedures for updating the plan. Ransomware incidents are specifically called out as a type of disruptive event the plan must address.

The business continuity and disaster recovery plan must identify documents, data, facilities, infrastructure, personnel, and competencies essential to continued operations; identify supervisory personnel responsible for implementing each aspect of the plan; include communications procedures for essential persons including employees, counterparties, regulatory authorities, and third-party service providers; include procedures for timely recovery of critical data and systems; include procedures for backing up essential information with sufficient frequency and storing it offsite; and identify third parties necessary to continued operations.

Covered entities must test both plans at minimum annually with all staff and management critical to the response, and must separately test their ability to restore critical data from backups annually.

Third-Party Service Provider Requirements

Section 500.11 requires written policies and procedures designed to ensure the security of information systems and nonpublic information accessible to or held by third-party service providers. These policies must address identification and risk assessment of third-party providers, minimum cybersecurity practices required of providers, due diligence processes for evaluating the adequacy of their cybersecurity practices, and periodic assessment of providers based on risk.

Contractual protections must include provisions addressing the third-party provider's policies for access controls including its use of MFA as required by Section 500.12, encryption as required by Section 500.15, notice to the covered entity in the event of a cybersecurity event affecting its information systems or nonpublic information, and representations and warranties regarding the provider's cybersecurity policies. NYDFS issued additional guidance in October 2025 emphasizing that covered entities should contractually require their vendors to implement MFA at the same level Part 500 requires of the covered entity itself.

Incident Reporting: The 72-Hour Obligation

Section 500.17(a) requires each covered entity to notify the superintendent electronically as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider. This is a hard deadline.

The clock starts from the point of determination, not from the point of discovery. The regulation's definition of when an entity should reasonably have determined an incident occurred is applied by examiners with hindsight. The covered entity has a continuing obligation to update the superintendent with material changes or new information previously unavailable.

A cybersecurity incident under the regulation means a cybersecurity event that impacts the covered entity and requires notification to any government body, has a reasonable likelihood of materially harming any material part of normal operations, or results in the deployment of ransomware within a material part of the covered entity's information systems.

Extortion Payments: A Separate and Additional Obligation

Section 500.17(c) creates a separate and distinct obligation triggered specifically when a covered entity makes an extortion payment in connection with a cybersecurity event. This is not a change to the 72-hour incident reporting window—it is an additional requirement that applies only when an actual payment is made.

When a covered entity makes an extortion payment, it must provide the superintendent with notice of the payment within 24 hours of making it. Within 30 days of the payment, the covered entity must also submit a written description of the reasons the payment was necessary, a description of alternatives to payment that were considered, all due diligence performed to find alternatives to payment, and all due diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.

The Annual Certification: Personal Liability for Senior Leadership

Section 500.17(b) requires every covered entity to submit to the superintendent electronically by April 15 each year either a written certification of material compliance with Part 500 for the prior calendar year, or a written acknowledgment of noncompliance that identifies the sections not materially complied with, describes the nature and extent of noncompliance, and provides a remediation timeline or confirmation that remediation has been completed.

The certification or acknowledgment must be signed by the covered entity's highest-ranking executive and its CISO. If the covered entity does not have a CISO, it must be signed by the highest-ranking executive and the senior officer responsible for the cybersecurity program. Both signatories are attesting to the accuracy of the filing. This provision creates direct personal accountability for senior leadership.

The certification must be supported by data and documentation sufficient to accurately determine and demonstrate material compliance. All supporting records must be retained for a period of five years, including identification of all areas requiring material improvement, remedial efforts undertaken, and remediation plans and timelines. This means the annual certification is not something to begin preparing in March. The evidence it requires—penetration testing results, risk assessments, access control reviews, vendor assessments, policy review records—must be collected and maintained throughout the year.

Vulnerability Management Requirements

Section 500.5 requires written policies and procedures for vulnerability management designed to assess and maintain the effectiveness of the cybersecurity program. At minimum, covered entities must conduct penetration testing of their information systems from both inside and outside the systems' boundaries by a qualified internal or external party at least annually. They must also conduct automated scans of information systems at a frequency determined by the risk assessment and promptly after any material system changes, with manual review of systems not covered by automated scans.

Covered entities must have a monitoring process to be promptly informed of new security vulnerabilities and must timely remediate vulnerabilities giving priority based on the risk they pose.

Where Fintechs Are Finding the Biggest Gaps in 2026

Based on enforcement patterns and examination findings, the Part 500 requirements generating the most remediation work are the following.

The expanded MFA requirement under Section 500.12 is the largest single source of compliance work. The extension to all user access to all information systems, including internal access, represents a significant expansion from the prior requirement. Many covered entities implemented MFA for remote access years ago and have not extended it to internal systems access.

Third-party vendor governance gaps are also common. The specific contractual requirements for vendor security obligations, breach notification timelines, and MFA requirements flowing down to vendors are frequently missing from contracts that were negotiated before the Second Amendment's requirements were fully understood.

Asset inventory programs are frequently absent or incomplete. The specific tracking requirements for owner, location, classification, support expiration date, and recovery time objectives go beyond the informal asset lists many entities maintain.

The personal liability provisions of the dual certification requirement are catching senior executives off guard. Executives who treated cybersecurity as an IT function delegated to technical staff are now personally signing an annual certification attesting to compliance. The behavioral change this requires—genuine executive engagement with cybersecurity governance throughout the year, not just at filing time—is significant.

A Note on Class A Company Requirements

Section 500.1(d) defines a Class A company as a covered entity with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations and affiliates, and either over 2,000 employees averaged over the last two fiscal years or over $1,000,000,000 in gross annual revenue. Class A companies face additional requirements including independent cybersecurity program audits based on risk assessment, a privileged access management solution, an automated method of blocking commonly used passwords, an endpoint detection and response solution to monitor anomalous activity including lateral movement, and a solution that centralizes logging and security event alerting.

Most early to mid-stage fintechs will not meet the Class A threshold. However, understanding it is relevant for fintechs anticipating significant growth or those operating as affiliates of larger financial institutions.