23 NYCRR Part 500 Is Now in Effect: What Financial Institutions Must Do to Stay Compliant
By: Katherine McCleery
As of November 1, 2025, financial institutions operating in New York State are required to comply with the New York Department of Financial Services (NYDFS)’s updated cybersecurity requirements under 23 NYCRR Part 500, including the expanded obligations in Sections 500.13 (asset management and data retention) and 500.17 (annual certification or acknowledgment of noncompliance).
Because enterprises typically need several months to build a successful ITAM program, Chief Information Security Officers and IT leaders are no longer preparing for compliance—they are now expected to demonstrate compliance with multiple in-effect NYDFS requirements, including both 500.13 and 500.17.
Together, Sections 500.13 and 500.17 represent two of the most operationally demanding and auditable components of the regulation—requiring accurate, continuously updated asset inventories as well as annual executive-level filings that attest to an organization’s overall material compliance with Part 500.
Keep reading to learn:
- What these rules entail
- The challenges they’ll put on financial institutions
- What can be done to get compliant
Understanding Section 500.13
The NYDFS supervises over 3,000 institutions that hold almost $10 trillion in assets. This statute applies to “Covered Entities,” which are entities that are required to operate under a license, registration, or other authorization under New York's Banking Law, Insurance Law, or Financial Services Law.
That includes:
- State-chartered banks
- Private bankers
- Licensed lenders
- Mortgage companies
- Trust companies
- Service contract providers
- Insurance companies that do business in New York
- Non-U.S. banks licensed to operate in New York
Under Section 500.13, financial institutions must establish written policies and procedures within their cybersecurity program to ensure the creation and maintenance of a detailed and documented asset inventory of their information systems. These policies must track essential details for each asset as well as outline the frequency for updating and validating the asset inventory.
Additionally, there must be policies in place for the secure disposal of nonpublic information that is no longer necessary for business operations. The only exception is when retention is mandated by law or regulation or the data’s disposal is impractical due to the way the information is maintained.
Beyond 500.13, Part 500 also requires a fully documented cybersecurity program (500.2), policies (500.3), access controls (500.7), risk assessments (500.9), incident response plans (500.16), and annual executive certification (500.17). Understanding 500.13 in context is essential for demonstrating full Part 500 compliance.
Asset Management Under 500.13
All Covered Entities must create and maintain a complete and accurate asset inventory of their information systems throughout the entire lifecycle of ownership (from the time of forecasting through final depreciation).
These businesses will have to track key information for each asset, including but not limited to the asset’s:
- Owner
- Location
- Classification
- Dependencies
- Purchase date
- Provisioning date
- Data access rights
- Audit confirmations
- Disposal certification
- End of Life (EOL) date
- Technology deployed/versioning
- Warranty/support expiration date
- Data removal/retention/reassignment audits
- Monitoring audit history (incidents reported/remediations completed)
Data Disposal Under 500.13
When it comes to the data that IT organizations gather and retain, Covered Entities must demonstrate evidence of securely disposing of nonpublic information that they no longer need for business operations.
Unless specific laws or regulations require the organizations to retain information or the data’s disposal is unreasonably difficult, a Covered Entity must track key information for each asset.
This includes but is not limited to:
- EOL date
- Dependencies
- Audit confirmations
- Disposal certification
- Data removal/retention/reassignment audits
“We Use a CMDB. We’re Fine.”
It's no secret that a majority of enterprises use a configuration management database (CMDB) to store and organize data about their hardware and software assets. Unfortunately, a CMDB heavily relies on manual maintenance and is only accurate in the exact moment it's updated.
According to Forrester, although 82% of businesses agree that their CMDB is essential for their IT operations, 51% feel their CMDB data quality is poor. What’s more, 63% don’t trust their database to provide accurate, up-to-date information.
With the regulation now enforceable, financial institutions can no longer rely on incomplete or outdated CMDB data. Covered Entities must prove that their asset inventories meet NYDFS’ accuracy, completeness, and audit-readiness requirements.
Especially in light of these new regulations and compliance deadlines, financial institutions need to enrich CMDBs with comprehensive IT asset management that supports these strict requirements.
Understanding Section 500.17 — Annual Certification & Acknowledgment of Noncompliance
Section 500.17 establishes one of the most visible and enforceable requirements of 23 NYCRR Part 500: the obligation to submit an annual filing by April 15 each year.
Covered Entities must submit one of two filings:
1. Certification of Material Compliance
If the organization was materially compliant with all applicable sections of Part 500 for the previous calendar year, it must file a Certification of Material Compliance. This document must be signed by both the highest-ranking executive and the CISO (or senior officer responsible for cybersecurity).
2. Acknowledgment of Noncompliance
If an entity cannot certify full material compliance, it must submit an Acknowledgment of Noncompliance. This filing must:
- Identify each section of Part 500 with which the entity did not materially comply
- Describe the nature and extent of the noncompliance
- Provide either a remediation timeline or confirmation that remediation is complete
Important operational requirements under 500.17:
- Covered Entities may begin filing on January 1 each year
- All Covered Entities (even those with limited exemptions under 500.19) must file a notification each year
- Entities with multiple licenses must file for each license separately
- All documentation supporting the certification/acknowledgment must be retained for 5 years
Penalties for Noncompliance
$2 Million. $4.5 Million. $8 Million.
These are just some of the steep fines that NYDFS has imposed on companies for noncompliance with cybersecurity and data retention regulations.
For violations of New York’s Banking, Insurance, or Financial Services laws, NYDFS can impose civil monetary penalties that vary based on the severity, duration, and nature of the noncompliance. Under Section 44 of the New York Banking Law, fines may reach up to $2,500 per day for standard violations, escalating to as much as $15,000 per day if NYDFS determines the noncompliance to be reckless or part of a persistent pattern.
Noncompliance with Section 500.13 often results from incomplete, inaccurate, or inconsistent asset inventories—issues that typically require months of remediation. Because violations accumulate daily, organizations with significant gaps in lifecycle data can quickly incur fines reaching seven figures.
Section 500.17 presents additional financial exposure. Companies that submit late certifications, fail to file altogether, or provide false certifications have faced multi-million-dollar penalties, as seen in several public enforcement actions involving inaccurate attestations. Because NYDFS views annual filings as formal regulatory declarations, errors or omissions in 500.17 filings carry heightened enforcement risk.
How Oomnitza Can Help
If your organization needs support meeting the asset, data, and governance requirements of 23 NYCRR Part 500, Oomnitza can help. Our modern IT asset management platform gives financial institutions the visibility, accuracy, and automation needed to comply with Sections 500.13 and 500.17.
Oomnitza provides:
-
Connected lifecycle visibility across your hardware, software, cloud, and user assets
-
Accurate, continuously updated asset inventories essential for 500.13
-
Data normalization and enrichment to ensure system-of-record consistency
-
Automation and controls that improve evidence collection and support annual certifications under 500.17
-
A unified view of your technology estate for audit readiness and regulatory reporting
With Oomnitza, Covered Entities can strengthen data integrity, reduce manual effort, and maintain continuous compliance across the lifecycle—supporting both 500.13 requirements and the accuracy of annual filings under 500.17.
FAQs
What exactly is 23 NYCRR Part 500?
23 NYCRR Part 500 is a New York State cybersecurity regulation issued by the Department of Financial Services (NYDFS). It establishes baseline cybersecurity standards for financial institutions and other regulated organizations, requiring them to implement controls that safeguard nonpublic information and ensure the resilience of their technology environments.
Which agency is responsible for oversight and enforcement?
The regulation is administered and enforced by the New York State Department of Financial Services. NYDFS examines regulated entities, reviews required filings, investigates cybersecurity events, and can take enforcement action—including financial penalties—when violations occur.
Who falls under the “Covered Entity” definition?
A Covered Entity is any person or organization operating under a license, charter, registration, certificate, or similar authorization issued by NYDFS. This includes banks, insurance carriers, mortgage servicers, money transmitters, and other financial services firms overseen by the Department.
What are the consequences of not meeting the requirements?
Failure to comply with Part 500 can result in regulatory actions ranging from mandated remediation to significant civil monetary penalties. NYDFS has issued multi-million-dollar fines in cases involving weak controls, inaccurate filings, or material gaps in compliance—especially when annual certifications under Section 500.17 were incorrect or misleading.
Is an annual compliance filing required?
Yes. Every Covered Entity must file either a Certification of Material Compliance or an Acknowledgment of Noncompliance each year, as required by Section 500.17. These filings are due by April 15 and must accurately reflect the organization’s compliance status for the prior calendar year.
Are there per-day fines for missing the annual filing deadline?
Part 500 itself does not set a specific daily penalty for failing to submit the certification. However, NYDFS may impose monetary penalties under the applicable Banking, Insurance, or Financial Services laws—often based on the seriousness, duration, and impact of the violation.
Where do organizations submit certifications, exemptions, and event notices?
All required filings must be submitted electronically through the NYDFS Secure Portal.
This includes annual compliance filings, exemption notices, and cybersecurity event notifications.
How does Section 500.13 fit into the wider Part 500 requirements?
Section 500.13 focuses on maintaining accurate, up-to-date inventories of assets and nonpublic information throughout their lifecycle. Because asset data is foundational to security decision-making, accurate inventories directly support compliance with many other provisions—such as access control, risk assessments, incident response, and ultimately, the accuracy of the annual certification required under Section 500.17.
Prefer video? Watch our 5-part series.
Get quick, practical explanations of 23 NYCRR Part 500—with a focus on asset inventory and how to build audit-ready lifecycle visibility to ensure compliance.
If you have questions about 23 NYCRR 500 or would like help bringing your organization into compliance, email us at team_oomnitza@oomnitza.com.
This blog provides a high-level overview of some options and actions that may be necessary for enhancing your organization's cybersecurity practices in light of the updated amendments to 23 NYCRR Part 500. It is not intended to ensure compliance with all legal requirements or to cover every new amendment to the law.
