This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

NYDFS (23 NYCRR 500) customer questions

Does NYDFS require an audit?

Audit is not required unless they are a class A company. Compliance is proven via submission to the NYDFS website.

How is Class A different from regular covered entities?

Class A companies must comply with all baseline NYDFS cybersecurity requirements, plus additional obligations such as annual independent audits of their cybersecurity program, third-party risk assessments every three years, use of endpoint detection and response (EDR), centralized logging, and privileged access management solutions.

If a customer asks for proof of NYDFS compliance, what documentation can we provide?

NYDFS does not issue an audit report like SOC 2 or ISO. Instead, covered entities file an annual Certification of Compliance with NYDFS. You can share a copy of your certification along with supporting documents (such as cybersecurity policies, risk assessment summaries, or penetration testing results) under NDA. Some companies also prepare a “NYDFS Compliance Statement” or Trust Center page summarizing how they meet the regulation.

What is a Class A company under NYDFS 23 NYCRR 500?

A Class A company is a covered entity that meets certain size thresholds. You qualify if you have over $20 million in gross annual revenue in New York and more than 2,000 employees (including affiliates), or if you have over $1 billion in gross annual revenue globally (including affiliates).

What is NYDFS?

New York Department of Financial Services 23 NYCRR 500 is a cybersecurity regulation requiring financial institutions in New York State to implement stringent cybersecurity measures, including risk assessments, encryption, incident response plans, and ongoing monitoring to protect sensitive data.

Who does NYDFS apply to?

NYDFS 23 NYCRR 500 applies to financial institutions in New York State such as banks, insurance companies, mortgage lenders, and other financial services providers regulated by the New York Department of Financial Services.