Your NYDFS certification is not a form. It is an attestation that the data behind it exists, is current, and could be produced on demand.

That distinction is where most covered entities will get caught in 2026.

The second amendment to 23 NYCRR 500 became effective November 1, 2023 (Section 500.21(b)). It carried a staggered set of transitional periods (Section 500.22). The longest of those windows ran two years, covering the asset-inventory requirement in Section 500.13(a) and the multi-factor authentication requirement in Section 500.12. That window has now closed. The shorter eighteen-month window covering the revised access-privilege controls in Section 500.7 closed before it.

So the certification a covered entity submits by April 15 is now the first one that has to stand behind a full calendar year with every second-amendment control in force. There is no remaining phase-in to hide behind. This is the post you put in front of your team before that signature goes on the form.

What changes on the 2026 NYDFS 500 compliance date, and who does it bind?

Nothing in the rule text changes in 2026. What changes is the evidence burden.

The 23 NYCRR 500 second amendment phased its new obligations in over time. Section 500.22(d) gave covered entities one year for some controls, eighteen months for others, and two years for the heaviest lifts. The two-year items, asset inventory under Section 500.13(a) and MFA under Section 500.12, were the last to land. With that window expired, an examiner can now reasonably expect a full year of operating evidence for every clause.

The rule binds a covered entity, defined in Section 500.1(e) as any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. Being regulated by another agency does not get you out.

A subset, the Class A company, carries extra obligations. Section 500.1(d) defines it as a covered entity with at least $20,000,000 in gross annual revenue across the last two fiscal years from the entity and its New York-operating affiliates, plus either over 2,000 employees averaged over two years or over $1,000,000,000 in gross annual revenue. If that is you, Section 500.7(c) adds a privileged access management solution and automated blocking of commonly used passwords to the access-control baseline.

The limited exemption in Section 500.19(a) still exists for the smallest entities, fewer than 20 employees and independent contractors, under $7,500,000 in gross annual revenue, or under $15,000,000 in year-end total assets. Read it carefully before you assume it applies. The exemption is partial, it lists specific sections you are released from, and it does not exempt you from Section 500.7 access privileges or Section 500.17 notices.

What does Section 500.13 actually require for asset inventory?

Section 500.13(a) requires each covered entity to implement written policies and procedures designed to produce and maintain a complete, accurate, and documented asset inventory of its information systems.

That is the obligation. The detail is in the five tracked attributes. Your inventory policy must track key information for each asset, including, as applicable:

  1. Owner — who is accountable for the asset.
  2. Location — where it physically or logically sits.
  3. Classification or sensitivity — what data it holds and how that data is rated.
  4. Support expiration date — when the asset goes end-of-life or out of vendor support.
  5. Recovery time objectives — how fast it must come back after a disruption.

Section 500.13(a)(2) adds one more requirement that is easy to skip: your policies must specify the frequency required to update and validate the inventory. A static spreadsheet from last quarter does not satisfy this. The rule wants a defined cadence, written down, and evidence that you followed it.

Note the phrase "as applicable" sitting on the five attributes. It is not a blanket excuse to leave fields blank. It means the attribute attaches where it makes sense for the asset class. If you are going to mark a field not-applicable, your policy should explain the rule for doing so, because an examiner will ask why a production database has no recovery time objective.

How should you evidence access-privilege management under Section 500.7?

Section 500.7 reads like a least-privilege checklist, and that is exactly how you should evidence it. The access-privilege reviews it demands are concrete and testable.

Section 500.7(a) requires each covered entity, based on its risk assessment, to:

  • Limit user access privileges to nonpublic information to only those necessary to perform the user's job (500.7(a)(1)).
  • Limit the number of privileged accounts and limit their access functions to only what the job requires (500.7(a)(2)).
  • Limit the use of privileged accounts to only when performing functions that require that access (500.7(a)(3)).
  • Periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary (500.7(a)(4)).
  • Disable or securely configure all protocols that permit remote control of devices (500.7(a)(5)).
  • Promptly terminate access following departures (500.7(a)(6)).

The annual access review in 500.7(a)(4) is the clause auditors love, because it produces a dated artifact or it does not. Here is the workflow that survives an examination:

  1. Pull the full set of user and service accounts with access to information systems holding nonpublic information.
  2. Route each entitlement to the accountable owner named in your asset inventory, which is why Section 500.13's owner field is not busywork.
  3. Have each owner attest, with a timestamp, that the access is still necessary or mark it for removal.
  4. Execute every removal and capture the deprovisioning record.
  5. Reconcile the leaver list from HR against terminated access to prove the prompt-termination obligation in 500.7(a)(6).
  6. Sign off the review with a date and an owner, and retain it.

If you are a Class A company, Section 500.7(c) layers on a privileged access management solution and automated blocking of commonly used passwords, with a CISO-approved compensating-control path documented in writing at least annually where blocking is infeasible.

What does the CISO certification now obligate you to attest?

Section 500.17(b) requires each covered entity to submit, annually by April 15, either a written certification of material compliance for the prior calendar year, or a written acknowledgment of non-compliance that identifies every section not complied with and provides a remediation timeline.

Two parts of that clause deserve your full attention.

First, the certification must be based upon data and documentation sufficient to accurately determine and demonstrate material compliance. This is the line that turns the form into an evidence obligation. You are not attesting to intent. You are attesting that the underlying records exist and support the claim.

Second, Section 500.17(b)(2) requires the certification or acknowledgment to be signed by the covered entity's highest-ranking executive and its CISO. If you have no CISO, it is signed by the highest-ranking executive and the senior officer responsible for the cybersecurity program. Two signatures, personal accountability.

Section 500.17(b)(3) closes the loop: you must maintain, for five years, all records, schedules, and documentation supporting the certification, including the identification of every area, system, and process that required material improvement and the remedial efforts undertaken. The asset inventory and the access reviews are exactly that supporting documentation.

The acknowledgment path is a genuine option, not a failure. If you cannot certify material compliance, an honest acknowledgment under 500.17(b)(1)(ii) with a remediation timeline is the defensible move. A certification you cannot support with documentation is the one that creates exposure.

Where do most GRC teams fail the asset-inventory and access-review tests?

The failure modes here are predictable. They are where the happy-path documentation breaks.

The inventory is real but stale. You produced a complete asset inventory once. Section 500.13(a)(2) wants a defined update-and-validation frequency and evidence you met it. An inventory that has not moved since the last audit is a finding, not a control.

Owner fields are blank or generic. "IT Department" is not an owner. When you cannot route an entitlement to a named owner during the access review, the review collapses into a guess, and Section 500.7(a)(4) becomes unevidenceable.

Recovery time objectives live in a different system. Section 500.13 wants RTOs on the asset record. If your RTOs sit only in a business-continuity binder that does not reconcile to the inventory, you have two sources of truth and an examiner question.

Termination is "prompt" in policy but not in evidence. Section 500.7(a)(6) demands prompt termination on departure. The gap between the HR leaver date and the actual deprovisioning timestamp is the single most common access-review finding. If you cannot reconcile the two lists, you cannot prove the control.

The certification gets assembled in March. Section 500.17(b) requires documentation sufficient to demonstrate compliance for the prior calendar year. If you start collecting that documentation in the weeks before April 15, you are reconstructing a year of evidence under deadline pressure. That is the project the certification is supposed to replace.

What should you do in the next 90 days to be audit-ready?

Work backward from the April 15 certification and the five-year retention obligation. A practical sequence:

  1. Reconcile your asset inventory against the five Section 500.13(a) attributes. Owner, location, classification, support expiration date, recovery time objectives. Flag every asset missing one and assign remediation.
  2. Confirm your inventory update frequency is written and met. Pull the last two validation runs and check they match the cadence your policy states (500.13(a)(2)).
  3. Run the annual access review under Section 500.7(a)(4) now, not in Q1. Owner attestation, removals executed, leaver reconciliation, dated sign-off.
  4. Test prompt termination. Sample recent departures and measure the gap between HR offboarding and access removal against 500.7(a)(6).
  5. If you are Class A, evidence the PAM and password-blocking controls in Section 500.7(c), including any CISO-signed compensating-control approvals.
  6. Assemble the certification evidence pack as you go. Section 500.17(b)(3) wants five years of supporting documentation. Build it continuously so the April signature is a confirmation, not a scramble.
  7. Decide certification versus acknowledgment early. If a control will not be materially compliant, draft the 500.17(b)(1)(ii) acknowledgment with a remediation timeline rather than over-certifying.

The pattern across all seven steps is the same: every clause needs a dated, owner-attributed artifact that traces back to a written policy. That is what material compliance looks like when an examiner asks to see it.

How do you turn the NYDFS audit pack into a query, not a project?

Here is the structural problem. Your asset inventory feeds your access review. Your access review feeds your certification. Your certification has to be reproducible for five years. If those three live in three different tools with three different update cycles, the audit pack is a project every April.

It should be a query.

When your NYDFS Part 500 controls are mapped once against the source obligations, the certification evidence is a filter over data you already maintain, not a quarterly assembly exercise. Each requirement traces to a verbatim clause of 23 NYCRR 500. Each control maps to an owner and an evidence artifact. The asset inventory's owner field is the same owner the access review routes to. The pre-certification posture is preserved as a dated snapshot, which is exactly the five-year record Section 500.17(b)(3) demands.

This is the same approach that lets one organizational profile satisfy overlapping obligations across frameworks. NYDFS Section 500.7 access controls, ISO 27001:2022 access-control objectives, and SOC 2 logical-access criteria are not three separate evidence collections. They are one set of access reviews, mapped many ways. Answer once. Assess everything.

Map your NYDFS Part 500 controls once and generate the audit pack on demand. No AI hallucinations, every obligation source-grounded to the rule text. See how at aegis-grc.com, and explore audit readiness, risk management, and access governance.

FAQ: NYDFS Part 500 second-amendment final phase-in

When did the NYDFS 500 second amendment take effect, and when did the asset-inventory and MFA controls become enforceable? The second amendment to 23 NYCRR 500 became effective November 1, 2023 (Section 500.21(b)). Section 500.22(d) set transitional periods, with the longest at two years for the asset-inventory requirement in Section 500.13(a) and multi-factor authentication in Section 500.12. The revised access-privilege controls in Section 500.7 fell under the eighteen-month window in Section 500.22(d)(3). All of these phase-in windows have now closed.

Who counts as a covered entity, and who is a Class A company? A covered entity is any person operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law (Section 500.1(e)). A Class A company (Section 500.1(d)) is a covered entity with at least $20,000,000 in gross annual revenue over the last two fiscal years plus either over 2,000 employees or over $1,000,000,000 in gross annual revenue, and it carries extra access-control obligations under Section 500.7(c).

What exactly must the asset inventory track? Section 500.13(a)(1) requires tracking, for each asset as applicable: owner, location, classification or sensitivity, support expiration date, and recovery time objectives. Section 500.13(a)(2) requires your policies to define the frequency for updating and validating the inventory.

Who signs the CISO certification and how long are records kept? Section 500.17(b)(2) requires the annual certification or acknowledgment, due by April 15, to be signed by the covered entity's highest-ranking executive and its CISO. Section 500.17(b)(3) requires supporting records to be maintained for five years for examination by the Department.