1.0 KiB
NY DFS 500 (23 NYCRR 500)
New York State Department of Financial Services cybersecurity regulation for financial services. The most aggressive US state-level financial cybersecurity rule. Requires: risk assessment, penetration testing, multi-factor authentication, incident response plan, annual certification of compliance by the board.
Who must comply: Any entity regulated by NY DFS — banks, insurers, mortgage brokers, virtual currency companies operating in New York. ~3,000 institutions.
Penalties: $200K-$1M per violation; business license revocation possible.
Why it matters: The annual board certification requirement creates demand for verifiable evidence of control effectiveness — exactly what the gate stack produces. First-mover advantage is significant (few vendors target NY DFS 500 specifically) and the regulation is a template that other states are adopting.