New York's Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500, has been one of the most prescriptive cybersecurity regulations in the United States since its initial adoption in 2017. The November 2023 amendments significantly strengthened the requirements, adding explicit provisions that directly affect software supply chain security.
For financial institutions regulated by NYDFS—and for the software vendors that serve them—these amendments raise the compliance bar substantially.
Who's Covered
23 NYCRR 500 applies to all entities operating under NYDFS licenses, registrations, or charters, including:
- Banks and trust companies
- Insurance companies
- Mortgage companies and brokers
- Licensed lenders
- Money transmitters
- Check cashers
The regulation also creates obligations for third-party service providers through required contractual terms. If you're a software vendor serving any of these entities, your security practices are within the regulation's reach.
The 2023 Amendments: Key Changes
CISO Requirements
The CISO must now report material cybersecurity issues to the board (or equivalent governing body) in a timely manner. The board must exercise oversight of the cybersecurity program, including:
- Approving the cybersecurity policy
- Reviewing and approving the CISO's report
- Having sufficient understanding of cybersecurity matters
This board-level accountability creates top-down pressure for comprehensive cybersecurity, including supply chain security.
Asset Inventory
The amendments now explicitly require a complete, accurate, and documented asset inventory that includes:
- Hardware
- Software
- Key assets and their dependencies
- Information systems
The phrase "key assets and their dependencies" is significant. For software systems, this means inventorying not just the applications themselves, but their third-party components, libraries, and services. This is effectively a regulatory requirement for SBOMs.
Vulnerability Management
The amended regulation requires a written policy for vulnerability management that includes:
- Timely remediation of vulnerabilities based on risk
- Automated vulnerability scanning
- Manual review where automated scanning is insufficient
- Monitoring for new vulnerabilities affecting the organization's systems
For software supply chains, this means:
- Continuous scanning of dependencies for known vulnerabilities
- Risk-based prioritization of remediation
- Defined timelines for patching vulnerable components
- Monitoring of vulnerability databases and security advisories
Access Privilege Management
The amendments strengthen access control requirements:
- Conduct access privilege reviews at least annually
- Disable or delete unnecessary access privileges promptly
- Limit the use of privileged accounts to only necessary tasks
- Implement privileged access management solutions
For software supply chains, this extends to controlling who can modify dependency configurations, approve package updates, and access build pipelines.
Incident Response and Business Continuity
The amendments require incident response plans that address supply chain incidents and business continuity plans that account for third-party service disruptions. Specifically:
- Incident response plans must be tested annually
- Plans must address scenarios involving third-party compromise
- Recovery time objectives must be defined
- Alternative processing capabilities must be considered
Third-Party Service Provider Security
The regulation has always required oversight of third-party service providers, but the amendments add specificity:
- Written policies for minimum cybersecurity practices required of third-party service providers
- Due diligence processes for evaluating third-party cybersecurity practices
- Contractual requirements for cybersecurity controls
- Annual assessment of third-party service provider risk
- Guidelines for due diligence and contractual protections
For software vendors, this means your financial institution customers will increasingly require:
- Evidence of your cybersecurity program
- SBOMs and vulnerability management documentation
- Incident notification commitments
- Regular security assessments
Notification Requirements
The regulation requires notification to NYDFS within 72 hours of a cybersecurity event that has a reasonable likelihood of materially harming normal operations. The amendments also add:
- Notification within 24 hours of ransomware payments
- Notification within 72 hours of unauthorized access to privileged accounts
- Annual reporting on the cybersecurity program
For supply chain incidents, the 72-hour notification window means organizations need rapid detection and assessment capabilities.
Class A Companies
The amendments create a new category: "Class A Companies"—covered entities with at least $20 million in gross annual revenue (from New York operations) and more than 2,000 employees, or over $1 billion in gross annual revenue regardless of employee count.
Class A Companies face additional requirements:
- Independent audit of the cybersecurity program annually
- Endpoint detection and response solutions
- Centralized logging and security event monitoring
- Privileged access management solutions
These enhanced requirements further elevate the importance of supply chain security, as auditors will evaluate the full scope of the cybersecurity program.
Compliance Timeline
The amendments have a phased implementation timeline:
- April 2024 — most requirements take effect
- November 2024 — vulnerability management, access management, incident response, and business continuity requirements
- May 2025 — MFA and asset inventory requirements
- November 2025 — remaining requirements for Class A Companies
Impact on Software Vendors
Software vendors serving NYDFS-regulated entities should prepare for:
-
Increased due diligence. Expect detailed security questionnaires and assessments from financial institution customers.
-
Contractual security requirements. Contracts will include specific cybersecurity obligations aligned with 23 NYCRR 500.
-
SBOM requests. The asset inventory requirement, including dependencies, means customers will request component inventories.
-
Vulnerability management evidence. Customers will want evidence of your vulnerability management practices, including timelines and metrics.
-
Incident notification requirements. Contracts will require rapid notification of security incidents, supporting the 72-hour regulatory timeline.
How Safeguard.sh Helps
Safeguard.sh directly addresses the NYDFS cybersecurity regulation's supply chain requirements. The platform's automated SBOM generation satisfies the asset inventory obligation for software dependencies, while continuous vulnerability monitoring meets the regulation's vulnerability management requirements. With policy-driven remediation timelines and real-time alerting, Safeguard.sh helps financial institutions and their vendors meet the 72-hour notification window and demonstrate to NYDFS examiners that supply chain security is actively managed—not just documented on paper.