The phased deadlines are done, the dual-signature certification is personal, and 2026 is the first year examiners test the whole regulation at once. What it demands, and where findings come from.
23 NYCRR Part 500 applies to entities licensed by the New York Department of Financial Services — banks, insurers, money transmitters, mortgage lenders, fintechs — and as of late 2025 the Second Amendment is fully in force. The headline obligations: a documented cybersecurity program approved by the senior governing body, a named CISO, broad MFA, asset inventory, encryption, 72-hour incident notification (24 hours for extortion payments), and an annual filing by April 15 signed by both the CEO and CISO — either certifying material compliance or acknowledging noncompliance with a remediation plan. Class A companies add independent audits, privileged access management, and EDR. The dual signature is the point: it converts program gaps into personal accountability.
Part 500 started in 2017 as a risk-based framework and has evolved into one of the most prescriptive, most aggressively enforced cybersecurity regulations in the United States — NYDFS has levied fines as high as $30 million for compliance failures. With the Second Amendment's phased deadlines complete as of November 2025, 2026 is the first year the full regulation is examined as a whole. Here's what that examination covers.
| Requirement | What it demands |
|---|---|
| Program & governance (§500.2–.4) | Written program approved by the senior governing body; a named CISO reporting annually to the board; the 2023 amendment pushed cyber governance explicitly into the boardroom |
| Risk assessment (§500.9) | The document everything else hangs on — controls must trace to it, and examiners test that traceability |
| MFA (§500.12) | Broadly required, including privileged accounts and third-party access; NYDFS has publicly flagged SMS and push-based MFA as weak |
| Asset inventory (§500.13) | Explicit, maintained inventory — an amendment addition that consistently surfaces gaps |
| Incident notice (§500.17(a)) | 72 hours for cybersecurity events; 24 hours for any extortion payment, with a 30-day written explanation of why payment was necessary |
| Annual filing (§500.17(b)) | By April 15: Certification of Material Compliance or Acknowledgment of Noncompliance with remediation plan — signed by CEO and CISO, supported by documentation and data |
| Class A additions | 2,000+ employees or $1B+ revenue (with affiliates): independent cybersecurity audits, privileged access management, automated blocking of common passwords, EDR and centralized logging |
Three design choices give this regulation unusual teeth. First, the dual-signature certification: when a CEO and CISO sign a certification of material compliance that the program's documentation can't support, the exposure is personal, not just corporate — which is why the April filing has become a genuine forcing function for program work rather than a formality. Second, the risk assessment as the spine: Part 500 doesn't hand you a checklist; it requires your controls to be justified by your own risk assessment, and examiners increasingly test whether that chain of reasoning is real. Third, velocity of expectations: AI governance has already emerged as an examination topic, and NYDFS guidance keeps tightening interpretations (the MFA-quality warnings being the clearest example) without waiting for rulemaking.
The operational question for 2026 isn't "do we have controls" — it's "can the documentation behind the April filing survive an examiner." That's an evidence-chain problem: risk assessment to control decisions, control decisions to implementation evidence, evidence to the certification two executives sign. It's the same chain OCR now tests in healthcare and C3PAOs test in defense, wearing a financial-services uniform — and it's the chain PRISM is built to maintain: requirements mapped to evidence, gaps flagged with what's missing, and the documentation trail that lets a CISO sign in April without a private flinch. Foundations adds the layer the board asks about: what the risk assessment's findings mean in dollars, and whether the program investment matches the institution's actual exposure — the proportionality question examiners and directors are converging on.
Part 500 rarely travels alone. Public financial institutions face SEC materiality disclosure on top of it, and firms serving EU institutions inherit DORA obligations through contracts. The frameworks overlap heavily at the control level — which makes them three reporting views of one evidence pool, not three programs, if your evidence is mapped that way.
PRISM maintains the requirement-to-evidence chain behind the April filing; Foundations answers the proportionality question your board and examiners are converging on.