Compliance deep dive · reviewed 2026-05-22

NYDFS Part 500 IAM requirements — Section 500.7, 500.12, and the 2023 + 2024 amendments

New York DFS Part 500 cybersecurity regulation IAM provisions — including the 2023 second amendment + phased deadlines through November 2025.

Authority

New York State Department of Financial Services (NYDFS)

Effective date

Original Part 500 effective March 2017; second amendment effective November 1, 2023; final phased deadlines through November 1, 2025.

Jurisdiction

New York State — but de-facto national reach because most major US financial institutions hold NY licenses.

Evidence cadence

NYDFS Cybersecurity Division conducts examinations — scheduled + ad-hoc + post-incident

Scope

Any "covered entity" under New York banking, insurance, or financial services law — including banks, insurance companies, mortgage servicers, charitable trusts, virtual currency businesses, and money transmitters operating in NY.

IAM-relevant controls

The controls that matter for IAM.

500.7
Access Privileges + Management
What it requires: Limit user access privileges to information systems that provide access to Nonpublic Information. Periodically review access privileges. (2023 amendment expanded to require privileged-access controls.)
Evidence example
Access certification campaign output + privileged-account inventory + JML automation log + quarterly review documentation.
500.12
Multi-Factor Authentication
What it requires: MFA shall be utilized for any individual accessing the covered entity's internal networks from an external network. The 2023 amendment expanded this to "any privileged accounts" + all third-party access.
Evidence example
MFA enforcement evidence on remote-access + privileged accounts + third-party / vendor access + phishing-resistant factor on privileged.
500.7(a)
Privileged-Access Controls (2023 amendment)
What it requires: Privileged accounts limited to where necessary, only used when performing functions requiring such access, and reviewed periodically. The 2023 amendment is specific + prescriptive on this point.
Evidence example
PAM vault inventory + JIT elevation log + standing-privilege elimination evidence + privileged-account quarterly review.
500.13
Asset Management + Data Retention
What it requires: Maintain an accurate inventory of information systems including identity systems. Securely dispose of Nonpublic Information no longer necessary.
Evidence example
IT asset inventory including identity infrastructure + retention policy + sanitization evidence.
500.14
Monitoring + Training
What it requires: Monitoring of authorized user activity. Risk-based cybersecurity awareness training. Detection of unauthorized access.
Evidence example
ITDR detection rules + SIEM ingestion of IdP / PAM events + annual security awareness training records.
500.4
CISO + Cyber Governance (2023 amendment expanded)
What it requires: Designate a qualified CISO. The 2023 amendment requires the CISO to report at least annually to the board, and gives the CISO authority over the cybersecurity program.
Evidence example
CISO appointment + annual board report + program-authority memo.
500.17
Notices to Superintendent
What it requires: Notice to NYDFS within 72 hours of a cybersecurity event. The 2023 amendment expanded this to include ransomware payments.
Evidence example
Incident response runbook with 72-hour notification trigger + decision log + Superintendent contact procedure.

Why Part 500 matters far beyond New York

Most major US banks, insurers, and financial services firms hold New York licenses (BitLicense, BSB, insurance licenses). Compliance with Part 500 is therefore de-facto required for most of the US financial industry. Additionally, the NAIC Insurance Data Security Model Law (adopted by 20+ states) closely mirrors Part 500 for insurance specifically — extending similar requirements nationally.

The 2023 second amendment — what changed

The November 2023 amendment was the largest expansion of Part 500. Key IAM-related changes:

MFA expanded to all privileged accounts + third-party access (not just remote access)
Privileged-access controls explicit (500.7(a)) with prescriptive standing-privilege limitations
24-hour ransomware-payment notification (separate from the 72-hour event notification)
Asset inventory now explicitly required (500.13(a)) — including identity systems
CISO + board governance enhanced (500.4)
"Class A" covered entities (the largest) get additional requirements including independent audits

Common IAM compliance gaps post-amendment

Practitioners report the following recurring gaps in NYDFS examinations:

Third-party / vendor MFA — covered for direct employees but ambiguous for contractor / consultant / vendor access
Privileged accounts in cloud — clean inventory of on-prem privileged accounts but cloud service accounts proliferate
Risk-based MFA on customer surfaces (consumer banking) — Part 500 requires it but FFIEC guidance is also at play
Audit log retention — Part 500 requires 5 years for security event logs (500.6); some systems retain less by default

Common findings

500.12 — MFA on workforce remote access OK, but exceptions for "legacy" or "internal-only" systems that turn out to be reachable
500.7(a) — privileged-account inventory hasn't kept pace with cloud expansion
500.14 — logs ingested but monitoring is reactive (post-incident) rather than proactive (rule-based)
500.17 — 72-hour clock starts on the incident "occurrence" not "discovery" — common misalignment
500.4 — CISO board reporting frequency is fine but the substance lacks technical detail

Penalties

Civil penalties + administrative actions. Penalties have escalated substantially — Robinhood ($30M, 2022), First American Title ($1M, 2021), EyeMed Vision ($4.5M, 2022), PayPal ($2M, 2025). Personal-officer liability for the compliance certification is a unique feature.

Evidence cadence

NYDFS Cybersecurity Division conducts examinations — scheduled + ad-hoc + post-incident. Annual compliance certification required by covered entity senior officer or board (the certification is a personal liability point).

Practitioner notes

What the policy doesn’t tell you.

Part 500 is the most prescriptive US cybersecurity regulation. It actually specifies MFA, encryption, multi-year retention, and incident-response requirements rather than the more common "appropriate measures" language.
The 2023 second amendment was a major expansion. New requirements include enhanced governance (500.4), CIRP testing (500.16), CISO board reporting, business continuity, asset inventory, and 24-hour ransomware-payment notification.
The phased deadlines hit November 1, 2023 / May 1, 2024 / November 1, 2024 / May 1, 2025 / November 1, 2025 — the IAM-specific provisions (500.7 + 500.12) hit at intermediate deadlines.
The compliance certification is signed by a senior officer or board member — making this regulation personally important to executives in a way most cyber regs aren't.
Many state insurance regulators (and the NAIC Insurance Data Security Model Law) reference or align to Part 500. So the practical reach is much broader than New York.

Need help with this framework?

We deliver IAM control programs for NYDFS Part 500 IAM.

Talk to a compliance leadCross-framework crosswalkAudit checklists

The controls that matter for IAM.

500.7

Access Privileges + Management

What it requires: Limit user access privileges to information systems that provide access to Nonpublic Information. Periodically review access privileges. (2023 amendment expanded to require privileged-access controls.)

Evidence example

Access certification campaign output + privileged-account inventory + JML automation log + quarterly review documentation.

500.12

Multi-Factor Authentication

What it requires: MFA shall be utilized for any individual accessing the covered entity's internal networks from an external network. The 2023 amendment expanded this to "any privileged accounts" + all third-party access.

Evidence example

MFA enforcement evidence on remote-access + privileged accounts + third-party / vendor access + phishing-resistant factor on privileged.

500.7(a)

Privileged-Access Controls (2023 amendment)

What it requires: Privileged accounts limited to where necessary, only used when performing functions requiring such access, and reviewed periodically. The 2023 amendment is specific + prescriptive on this point.

Evidence example

PAM vault inventory + JIT elevation log + standing-privilege elimination evidence + privileged-account quarterly review.

500.13

Asset Management + Data Retention

What it requires: Maintain an accurate inventory of information systems including identity systems. Securely dispose of Nonpublic Information no longer necessary.

Evidence example

IT asset inventory including identity infrastructure + retention policy + sanitization evidence.

500.14

Monitoring + Training

What it requires: Monitoring of authorized user activity. Risk-based cybersecurity awareness training. Detection of unauthorized access.

Evidence example

ITDR detection rules + SIEM ingestion of IdP / PAM events + annual security awareness training records.

500.4

CISO + Cyber Governance (2023 amendment expanded)

What it requires: Designate a qualified CISO. The 2023 amendment requires the CISO to report at least annually to the board, and gives the CISO authority over the cybersecurity program.

Evidence example

CISO appointment + annual board report + program-authority memo.

500.17

Notices to Superintendent

What it requires: Notice to NYDFS within 72 hours of a cybersecurity event. The 2023 amendment expanded this to include ransomware payments.

Evidence example

Incident response runbook with 72-hour notification trigger + decision log + Superintendent contact procedure.

Why Part 500 matters far beyond New York

The 2023 second amendment — what changed

The November 2023 amendment was the largest expansion of Part 500. Key IAM-related changes:

MFA expanded to all privileged accounts + third-party access (not just remote access)

Privileged-access controls explicit (500.7(a)) with prescriptive standing-privilege limitations

24-hour ransomware-payment notification (separate from the 72-hour event notification)

Asset inventory now explicitly required (500.13(a)) — including identity systems

CISO + board governance enhanced (500.4)

"Class A" covered entities (the largest) get additional requirements including independent audits

Common IAM compliance gaps post-amendment

Practitioners report the following recurring gaps in NYDFS examinations:

Third-party / vendor MFA — covered for direct employees but ambiguous for contractor / consultant / vendor access

Privileged accounts in cloud — clean inventory of on-prem privileged accounts but cloud service accounts proliferate

Risk-based MFA on customer surfaces (consumer banking) — Part 500 requires it but FFIEC guidance is also at play

Audit log retention — Part 500 requires 5 years for security event logs (500.6); some systems retain less by default

What the policy doesn’t tell you.

Part 500 is the most prescriptive US cybersecurity regulation. It actually specifies MFA, encryption, multi-year retention, and incident-response requirements rather than the more common "appropriate measures" language.

The 2023 second amendment was a major expansion. New requirements include enhanced governance (500.4), CIRP testing (500.16), CISO board reporting, business continuity, asset inventory, and 24-hour ransomware-payment notification.

The phased deadlines hit November 1, 2023 / May 1, 2024 / November 1, 2024 / May 1, 2025 / November 1, 2025 — the IAM-specific provisions (500.7 + 500.12) hit at intermediate deadlines.

The compliance certification is signed by a senior officer or board member — making this regulation personally important to executives in a way most cyber regs aren't.

Many state insurance regulators (and the NAIC Insurance Data Security Model Law) reference or align to Part 500. So the practical reach is much broader than New York.