NYDFS Part 500: Business Continuity and Vendor Risk Requirements

The New York Department of Financial Services cybersecurity regulation is one of the most actively enforced state-level compliance frameworks in the country. DFS has levied significant penalties against covered entities that failed to maintain adequate programs, and the 2023 amendments raised both the documentation standard and the personal accountability of senior officers who certify compliance.

For covered entities, the gap between having a program and being able to prove it is operational has become the central compliance risk. This page covers what Part 500 requires for business continuity and vendor risk, what changed in 2023, where firms consistently fall short, and what examiners ask for when they arrive.

What NYDFS Part 500 Requires

Part 500 applies to any entity operating under a license, registration, or charter under New York Banking Law, Insurance Law, or Financial Services Law. That scope is broad, covering banks, insurers, mortgage servicers, money transmitters, and a wide range of other financial services firms with a New York presence or customer base.

The regulation requires covered entities to implement a cybersecurity program that addresses several specific areas. Two of the most consistently examined are business continuity planning and third-party vendor risk.

Business Continuity and Disaster Recovery

Part 500 requires a written business continuity and disaster recovery plan that addresses how the entity will continue operating and protect nonpublic information in the event of a disruption. The plan must be tested annually, and that testing must produce documented outputs. An exercise that was conducted but never formally documented does not satisfy the annual testing requirement.

The plan must reflect the current state of the entity's operations. A continuity plan written two years ago that references systems, staff, or vendors no longer in place is not a compliant plan. DFS examiners check for currency as part of standard review, and a plan that is clearly outdated is treated as evidence of a program that is not actively maintained.

Third-Party Vendor Risk

Part 500 requires covered entities to implement written policies and procedures governing the cybersecurity practices of third-party service providers. Those policies must establish minimum security requirements for vendors, and the entity must conduct periodic assessments of vendor compliance with those requirements. A vendor list without associated risk assessments and monitoring records does not satisfy this requirement.

The vendor risk requirement extends to all third parties with access to the entity's information systems or nonpublic information. Covered entities that limit their vendor oversight to major technology providers while leaving smaller or newer vendors unassessed have a compliance gap that DFS examiners identify consistently.

The 2023 Amendments: What Changed

The 2023 amendments to Part 500 represent the most significant update to the regulation since its original enactment. Several changes directly affect how covered entities must approach business continuity and vendor risk documentation.

Senior Officer Certification

Covered entities must now submit an annual certification signed by a senior officer attesting that the entity is in compliance with Part 500. That certification creates personal accountability for senior leadership in a way the original regulation did not. Officers who certify compliance without a documented, current, and operational program face personal exposure if DFS examines the entity and finds otherwise.

Board Oversight Requirements

The amended regulation requires the board of directors or equivalent governing body to have sufficient understanding of the entity's cybersecurity program to exercise appropriate oversight. That requirement has a practical implication: the program must be documented in a form that board members can review, understand, and attest to having overseen. Programs that exist informally or primarily in the knowledge of a single staff member do not meet this standard.

Expanded Asset Management and Data Requirements

The 2023 amendments added requirements around asset inventory, data retention, and the classification of nonpublic information. For entities whose business continuity and vendor risk programs were built under the original regulation, these additions create new documentation obligations that may not have been addressed in existing program materials.

Where Covered Entities Consistently Fall Short

DFS examination findings in business continuity and vendor risk follow predictable patterns. The gaps are not random. They reflect structural decisions that organizations made when they built their compliance programs, and they recur across entity types, sizes, and industries.

The most common gap is informal testing. Covered entities conduct tabletop exercises, walk-throughs, and scenario reviews, but they do not retain structured documentation of what was tested, who participated, what gaps were identified, and what remediation followed. The exercise happened. The evidence did not survive it. DFS examiners treat undocumented testing as no testing at all.

The second most common gap is partial vendor coverage. Entities assess their largest or most visible technology vendors but leave smaller, newer, or lower-tier vendors outside the program. DFS does not recognize a risk threshold below which vendor oversight is optional. Third parties with access to nonpublic information require documentation regardless of the size or duration of the relationship.

The third gap is currency. Plans and assessments that were accurate when written become inaccurate as the organization grows, changes staff, adopts new technology, or adds vendor relationships. A program that is not actively maintained produces documentation that DFS examiners identify as stale, which they treat as evidence of a program that is not actively managed.

See also: Common Audit Failures in Business Continuity and Vendor Risk and How to Create Audit-Ready Documentation Without Rebuilding It Every Year.

What DFS Examiners Ask For

DFS examination requests for business continuity and vendor risk follow a consistent pattern. Examiners begin with written policies, then request evidence of implementation. The gap between those two requests is where most findings originate.

For business continuity, examiners typically request the current written plan, documentation of the most recent annual test including outputs and findings, evidence that the plan has been updated following any significant operational changes, and the identity of the senior officer responsible for the program.

For vendor risk, examiners request the entity's third-party service provider inventory, risk assessments for vendors with access to nonpublic information, documentation of how minimum security requirements have been communicated to and confirmed by vendors, and evidence of ongoing monitoring rather than one-time onboarding review.

How NYDFS Relates to Other Frameworks

Covered entities that also operate under SOC 2, ISO 27001, SEC Regulation S-P, or DORA will find substantial overlap in the business continuity and vendor risk requirements across these frameworks. The evidence that satisfies Part 500 testing requirements often satisfies SOC 2 availability criteria. The vendor oversight documentation that DFS examiners request maps closely to what SEC examiners look for under Reg S-P.

The practical advantage of building documentation that accounts for multiple frameworks from the start is significant. Entities that build for one framework and retrofit for others consistently produce documentation that partially satisfies each and fully satisfies none. The more durable approach is to build to the most specific requirement and let that coverage extend to the others.

See also: Business Continuity and Vendor Risk Evidence Across Frameworks and How to Document Vendor Risk for Compliance Frameworks.

Frequently Asked Questions