Go Back Up

The NYDFS Part 500 Ransomware Update: What Every Covered Entity Needs to Know

Jun 4, 2026 12:00:00 AM Richard Mendoza 13 min read

If your organization holds a license, registration, charter, or authorization from the New York Department of Financial Services, you are covered by one of the most prescriptive and aggressively enforced cybersecurity regulations in the United States. As of November 1, 2025, the final phase of NYDFS Part 500's Second Amendment is fully in effect. The multi-year phase-in is over. There are no more deadlines on the horizon to delay behind. Either your organization is compliant right now, or it is not.

This article breaks down what changed, what the regulation now requires in full, what NYDFS has already proven it is willing to do when covered entities fall short, and what every small and mid-sized financial firm and insurance entity needs to do before the April 15, 2026 annual certification deadline.

In This Article

If you are also managing AI governance obligations alongside your Part 500 program, our team has covered FINRA's parallel requirements in detail: FINRA 2026 GenAI Governance: A Survival Guide for Small Financial Firm CEOs. The two regulatory frameworks are converging rapidly, and small firms need a coordinated response to both.

What Is NYDFS Part 500 and Who Does It Apply To?

NYDFS Part 500 was first enacted on March 1, 2017, establishing cybersecurity requirements for financial services companies: a first-in-the-nation regulatory framework designed to protect consumers and the stability of New York's financial system against cyber threats. It has been amended and strengthened twice since, most significantly through the 2023 Second Amendment, which represented the most substantial revision since the regulation launched. (Akin Gump)

Part 500 applies to any covered entity operating under a license, registration, charter, or authorization from NYDFS. This includes banks, trust companies, credit unions, insurance companies, agents and brokers, mortgage lenders and servicers, money transmitters, virtual currency businesses, and investment advisers.

This scope matters enormously for small and mid-sized firms. Many small broker-dealers, independent insurance agencies, mortgage companies, and registered investment advisers operate under the assumption that Part 500 is primarily a large-institution regulation. It is not. The regulation applies based on your NYDFS authorization, not the size of your balance sheet or employee count. A five-person registered investment adviser is as covered as a 500-person regional bank and subject to the same rigorous controls.

The regulation applies based on your NYDFS authorization, not the size of your balance sheet or employee count.

 

There is a limited small business exemption, but it is narrower than most small entities assume. The small business exception only reduces certain MFA obligations. Entities qualifying for it are still required to use MFA for remote access to information systems, remote access to third-party applications, and all privileged accounts other than service accounts. It does not eliminate the requirement for a written cybersecurity program, risk assessments, a designated CISO, incident response planning, third-party vendor oversight, or annual certification filing. For most small firms, the practical compliance burden under the exemption remains substantial. 

The NYDFS Second Amendment: What Actually Changed

The Second Amendment, adopted November 2023 and fully phased in by November 1, 2025, was not a routine update. It expanded both scope and depth, introduced personal executive liability through dual-signature certification requirements, set breach notification deadlines of 72 hours for cybersecurity incidents and 24 hours for ransomware payments, and required new technical controls including asset inventories, vulnerability scans, and privileged access management. (BARR Advisory)

The changes most likely to create immediate compliance gaps at smaller organizations fall into five areas.

Multi-Factor Authentication

The prior version of Part 500 only mandated MFA for access to internal networks from outside the network. The amended rule significantly broadens this. Covered entities must now implement MFA for all individuals remotely accessing any information system from which data is accessed or provided, including cloud applications such as Microsoft 365, Google Workspace, and other SaaS platforms. (Businessinformationgroup)

NYDFS has explicitly stated that MFA deficiencies are the most commonly exploited gap in cybersecurity breaches among covered entities. They have also published prescriptive FAQs, released just after the November 1 deadline, that detail exactly which authentication methods satisfy the requirement and which do not. Push-based and SMS authentication methods are explicitly flagged as vulnerable to modern attacks. NYDFS strongly recommends phishing-resistant alternatives including FIDO2, WebAuthn, and hardware security keys. If your organization is currently relying on SMS codes or push notifications as its MFA standard, you have a documented compliance gap.

Written Asset Inventory

Covered entities must now maintain written procedures for creating and maintaining a comprehensive information system asset inventory. For small firms managing their IT informally, this is often the most disruptive requirement to build from scratch. An asset inventory is not an IT asset spreadsheet. Under Part 500, it is a documented, maintained program that accounts for hardware, software, data flows, and access points. It must be current and defensible under examination. In January 2024, NYDFS cited Genesis Global Trading, Inc. for failing to address asset inventory and device management as part of its cybersecurity program, one of several Part 500 violations that resulted in an $8 million penalty and the surrender of its operating license. Asset inventory compliance is now an active NYDFS examination priority.

Ransomware Notification — 24 Hours

Ransomware payments must be reported to NYDFS within 24 hours. This is one of the most operationally demanding requirements in the regulation. In a ransomware incident, the first 24 hours are typically consumed by incident response: containing the spread, assessing the scope, engaging forensic support, and communicating internally. The notification obligation does not pause for any of that. Organizations that have not pre-built their NYDFS notification workflow into their incident response plan will almost certainly miss this window under pressure. (BARR Advisory)

Ransomware payments must be reported to NYDFS within 24 hours

Third-Party Risk Management

NYDFS issued new, highly prescriptive third-party risk management guidance just days before the November 1 deadline. Under the amended regulation, covered entities are responsible for ensuring that their service providers and vendors who access nonpublic information also maintain appropriate cybersecurity controls. This means reviewing vendor contracts, conducting due diligence on third-party security posture, and maintaining documented oversight. For small firms relying heavily on cloud platforms, accounting software, payroll processors, and other SaaS vendors, this requires a structured vendor inventory and review process most have never built or created an approach to manage the vendor life-cycle. (NAIC)

Personal Executive Liability

The annual compliance certification now requires dual signatures from both the CEO and the CISO, with both executives attesting compliance using verifiable data retained for five years, creating direct personal regulatory liability for both signatories. This is the change that should most concentrate the attention of small firm leadership. If your organization files a Certification of Material Compliance and NYDFS subsequently identifies deficiencies during an examination or following a breach, the individuals who signed that document are personally accountable for its accuracy.

Filing an optimistic certification is not a safe middle ground. It is a liability. Making false statements to NYDFS through a certification of compliance is itself independently actionable, in addition to any substantive violations of Part 500 that the certification conceals. NYDFS has demonstrated its willingness to pursue enforcement action when certifications prove inaccurate, and enforcement findings frequently include the conclusion that the certifying officer failed to exercise appropriate oversight or relied on incomplete information when signing. (ReliaQuestPCI Security Standards Council)

144M fines

What NYDFS Has Already Proven It Will Do

Understanding the enforcement record is essential context for any organization still treating Part 500 compliance as a low-priority item. NYDFS is not a regulator that issues warnings and waits for self-correction. Since 2021, NYDFS has entered into consent orders with 27 entities for violations of the cybersecurity regulation, resulting in over $144 million in total fines. Two cases from the past year make the enforcement posture concrete. (Cytranet)

CASE IN POINT

 

Healthplex, Inc. Penalty: $2,000,000 | NYDFS | August 2025

What happened: Healthplex is a licensed insurance agent and independent adjuster — not a large bank, not a major financial institution. A single phishing email gave an attacker access to one employee's inbox and exposed the nonpublic information of tens of thousands of consumers. NYDFS found that Healthplex violated Part 500 by failing to implement MFA on its email system, lacking a data retention policy that would have limited the scope of the exposure, and failing to notify NYDFS within the required 72-hour window. The notification arrived four months after the breach was discovered. (Source: Pillsbury Law, August 2025)

What it means for your firm: This was not a sophisticated attack defeating a well-prepared organization. One employee clicked a phishing link. The $2 million penalty came from three missing controls, not the breach itself. If your firm holds any NYDFS license, this case describes your regulatory environment. Size is not a defense. License type is not a defense. The absence of basic documented controls is the violation.

 

 

Gemini Trust Company, LLC Penalty: $37,000,000 | NYDFS | February 2024

What happened: Gemini's Earn Program allowed customers to loan their virtual currency to Genesis Global Capital, an unregulated third party not licensed by NYDFS. Genesis defaulted on approximately $1 billion worth of loans, leaving hundreds of thousands of customers unable to access their assets. NYDFS found that Gemini had failed to conduct sufficient and ongoing due diligence on Genesis before routing customer funds through it, and had made misleading representations to customers about the program's safety. The result was a $37 million penalty and a commitment to return over $1.1 billion to harmed customers. Alston & Bird

What it means for your firm: NYDFS holds covered entities directly accountable for the third parties they rely on — whether those third parties are technology vendors, lending partners, or service providers. If a relationship with an unvetted or inadequately monitored third party causes harm to your customers or creates risk to your organization's safety and soundness, NYDFS will hold you responsible for that failure. The question regulators ask is not whether the third party caused the problem. It is whether you did sufficient due diligence before the relationship began and maintained adequate oversight throughout it. (Source: NYDFS Press Release,  February 28, 2024)

 

 

Taken together, these two cases span the full range of covered entities: a small licensed adjuster and one of the largest fintech platforms in the country. The enforcement pattern is consistent regardless of organization size or type. Penalties can start at $2,500 per day for each instance of noncompliance. Under New York Banking Law, civil penalties for willful violations scale to $75,000 per day, and recent enforcement actions have reached individual fines exceeding $30 million. These numbers do not scale down because your organization is smaller. They accumulate based on the duration and nature of the violation.

Your April 15, 2026 Certification: What Needs to Be True

The requirements that took effect November 1, 2025 are subject to the annual certification requirement due April 15, 2026, which covers calendar year 2025. That means your upcoming certification must reflect compliance with the complete scope of the Second Amendment.

Before that filing, every covered entity should be able to answer these questions with documented evidence, not estimates:

Is MFA implemented for all remote access to every information system your organization uses, including every cloud application? Is your information system asset inventory written, current, and maintained under a documented program? Have you reviewed and tightened your third-party vendor agreements to reflect the new risk management requirements? Is your incident response plan updated to include the 24-hour ransomware payment notification and 72-hour cybersecurity incident notification workflows? Can both your CEO and CISO attest to the accuracy of your certification with verifiable, retained documentation?

If any of those questions produced hesitation, treat that hesitation as a compliance gap that needs to be closed before April 15.

How CompassMSP Supports NYDFS Part 500 Compliance

For small and mid-sized financial firms and insurance entities, building and maintaining a Part 500-compliant cybersecurity program is a significant operational undertaking. Most organizations in this category do not have a full-time CISO, a dedicated compliance team, or the internal capacity to manage the documentation, controls, and ongoing evidence collection the regulation requires.

CompassMSP's financial services compliance practice is built specifically for covered entities navigating NYDFS Part 500, FINRA, SEC Regulation S-P, and related obligations. Our vCISO and compliance team can serve as your organization's dedicated cybersecurity leadership, building the written programs, risk assessments, asset inventories, incident response plans, and vendor management frameworks that satisfy Part 500's requirements and the evidence packages that make your annual certification defensible under examination.

We work with broker-dealers, registered investment advisers, insurance agencies, mortgage companies, and other NYDFS-licensed entities to build compliance programs that are sustainable, documented, and built to survive an audit rather than simply check a box.

The TL;DR

NYDFS Part 500 has evolved from a risk-based guideline into one of the most prescriptive and aggressively enforced cybersecurity mandates in the United States. The Second Amendment is fully in effect. The personal liability provisions are live. The April 15 certification deadline is approaching.

The organizations that have faced the largest penalties were not reckless. Most were simply behind, lacking controls they had not prioritized, missing documentation they had not built, and discovering the gap at the worst possible moment. The difference between them and the organizations that stayed compliant was not sophistication. It was timing.

Stay Ahead of What's Coming

NYDFS Part 500 is one of dozens of regulations actively affecting small and mid-sized businesses across finance, healthcare, insurance, manufacturing, and more. Keeping up with all of them is a full-time job — which is why we built The Fine Print.

Every quarter, CompassMSP's vCISO and compliance team tracks the regulatory updates, enforcement actions, and deadlines that matter most to your industry and delivers them in a format you can actually use. No jargon. No filler. Just what you need to know.

Subscribe free at thefineprint.compassmsp.com

If something in this article raised a concern about your organization's compliance posture, our team is available to help you understand where you stand and what to do about it.

Explore our Compliance and Risk Management services

 

YOU MAY NEED TO KNOW

Frequently Asked Questions: NYDFS Part 500 Compliance for Small and Mid-Sized Financial Firms

What is NYDFS 23 NYCRR Part 500 and does it apply to my small financial firm?

NYDFS 23 NYCRR Part 500 is New York's cybersecurity regulation for financial services companies. It applies to every organization operating under a license, registration, charter, or authorization from the New York Department of Financial Services. That includes small broker-dealers, independent registered investment advisers, insurance agencies, mortgage companies, money transmitters, and credit unions regardless of size. If your firm holds any NYDFS authorization, Part 500 applies to you. The small business exemption reduces some requirements but does not eliminate the core obligations including a written cybersecurity program, risk assessments, incident response planning, third-party vendor oversight, and the annual certification filing.

What changed with the NYDFS Part 500 Second Amendment?

The Second Amendment, adopted in November 2023 and fully effective as of November 1, 2025, was the most significant revision to Part 500 since it launched in 2017. Key changes include mandatory MFA for virtually all remote access including cloud applications, a written asset inventory program, ransomware payment notification within 24 hours, cybersecurity incident notification within 72 hours, enhanced third-party risk management requirements, and a dual-signature annual certification that creates personal liability for the CEO and CISO. The phase-in period ended November 1, 2025. All requirements are now in full effect.

What does NYDFS Part 500 require for multi-factor authentication?

The amended regulation requires MFA for all individuals remotely accessing any information system, including cloud applications such as Microsoft 365, Google Workspace, and other SaaS platforms your firm uses. This is significantly broader than the prior requirement, which only mandated MFA for access to internal networks from outside the network. NYDFS has also published guidance explicitly identifying SMS codes and push notifications as weak authentication methods. Phishing-resistant alternatives such as FIDO2, WebAuthn, and hardware security keys are the recommended standard. If your firm currently uses SMS or push-based MFA, you have a documented compliance gap under the amended regulation.

What are the NYDFS Part 500 notification requirements for ransomware?

Ransomware payments must be reported to NYDFS within 24 hours of the payment. Broader cybersecurity incidents must be reported within 72 hours of determining that a reportable event has occurred. These windows do not pause for incident investigation or internal review. Organizations that have not built NYDFS notification procedures directly into their incident response plans will almost certainly miss these deadlines under the pressure of an active incident. The Healthplex enforcement action, which resulted in a $2 million penalty in August 2025, cited a breach notification that arrived four months after discovery rather than within 72 hours.

What are the penalties for non-compliance with NYDFS Part 500?

Penalties under Part 500 can start at $2,500 per day for each instance of noncompliance. Under New York Banking Law, civil penalties for willful violations scale to $75,000 per day. NYDFS enforcement actions have reached individual fines exceeding $30 million. Since 2021, NYDFS has entered consent orders with 27 entities, resulting in over $144 million in total fines. These penalties do not scale based on your firm's size. They are calculated based on the duration and nature of the violation. A small three-person registered investment adviser faces the same penalty structure as a large regional bank.

What is the NYDFS Part 500 annual certification and when is it due?

Every covered entity must file either a Certification of Material Compliance or an Acknowledgment of Noncompliance with NYDFS by April 15 of each year. The certification covers the prior calendar year and must be signed by both the CEO and the CISO. Both executives are personally attesting to the accuracy of the filing using verifiable documented evidence that must be retained for five years. Filing an optimistic or undocumented certification is not a safe middle ground. If NYDFS identifies deficiencies during an examination or following a breach, the individuals who signed the certification are personally accountable for its accuracy.

The April 15, 2026, certification covers calendar year 2025 and must reflect full compliance with the Second Amendment requirements.

Does NYDFS Part 500 apply to insurance agencies and independent adjusters, not just banks?

Yes. Part 500 applies to every entity operating under an NYDFS authorization, which explicitly includes insurance companies, insurance agents, and insurance brokers. The Healthplex enforcement action in August 2025 settled for $2 million and involved a licensed insurance agent and independent adjuster, not a bank or major financial institution. The violations were the absence of MFA, a missing data retention policy, and a late breach notification. If your insurance agency holds a New York license, Part 500 applies to your organization and the enforcement record makes clear that NYDFS is actively examining and penalizing licensed entities of every size.

How does an MSP or MSSP help a small financial firm achieve NYDFS Part 500 compliance?

A qualified MSP or MSSP with financial services compliance experience can close the gap that most small firms face: the absence of dedicated internal cybersecurity and compliance leadership. Specifically, an MSP or MSSP supporting Part 500 compliance should be able to provide a virtual CISO to serve as your designated CISO under the regulation, conduct and document your annual risk assessment, build and maintain your written cybersecurity program and asset inventory, implement and document MFA controls across your environment, develop your incident response plan including NYDFS notification workflows, manage third-party vendor cybersecurity due diligence, and prepare your annual certification evidence package. Not all MSPs are equipped to deliver compliance services at this level. Look for a provider with demonstrated experience in regulated financial services environments, not just general IT support.

 

Read more about how to evaluate an MSSP for regulated industries in this article.

What is the difference between an MSP and an MSSP for NYDFS Part 500 compliance?

A managed service provider, or MSP, typically focuses on IT operations: network management, help desk support, device management, and infrastructure. A managed security services provider, or MSSP, adds cybersecurity monitoring, threat detection, incident response, and security operations capabilities on top of the managed IT foundation. For NYDFS Part 500 compliance, you need both operational IT stability and active cybersecurity management. An MSSP with a compliance practice can also provide the governance layer: written programs, risk assessments, policy documentation, and audit preparation. CompassMSP operates as both an MSP and MSSP, which means your IT infrastructure and your cybersecurity compliance program are managed under one roof with direct accountability for both.

How do I know if my financial firm is actually compliant with NYDFS Part 500 right now?

The most reliable way to assess your compliance posture is a structured gap assessment conducted against the full requirements of the Second Amendment. This involves reviewing your current cybersecurity controls against each section of Part 500, identifying which requirements are documented and implemented, which are partially in place, and which are absent, and producing a remediation roadmap that sequences the work before your next certification deadline. Many small firms that believe they are compliant discover gaps during this process, most commonly in MFA coverage for cloud applications, the completeness of their asset inventory, the specificity of their incident response plan, and the depth of their third-party vendor documentation. A gap assessment is the starting point, not a pass-fail test. It tells you exactly where you stand and what needs to happen before April 15. CompassMSP's financial services compliance team conducts Part 500 gap assessments for small and mid-sized covered entities. You can learn more about our financial services practice at compassmsp.com/industries/financial-services.

 

Richard Mendoza

Richard is a Senior Virtual Chief Information Security Officer with CompassMSP. He has over twenty-five years of experience as an Information Security professional with hands-on experience in engineering process and information security, and IT audit disciplines. With a wide-ranging knowledge as a Systems Engineer, Information Security Officer, and Senior Auditor, Richard has expertise in managing internal and external audits focused on reducing overall risk exposure and infrastructure redundancy for organizations.

Navigate What’s Next

Get new insights, practical guides, and timely resources delivered to your inbox.