In early 2017, the New York Department of Financial Services enacted a regulation enacted a regulation, 23 NYCRR 500, that set minimum cybersecurity standards within the State of New York.

The regulation impacts "Covered Entities," who include all financial institutions, including banks, money managers, and insurance companies among others that conduct business within New York.

These standards require designing and maintaining a cybersecurity program to protect the confidentiality, integrity, and availability of the Information Systems and any Nonpublic Information belonging to consumers. The Regulation mandates a number of additional requirements.

In late 2023, the NYDFS enacted an amendment to the regulation, which mandated a host of new requirements for Covered Entities.