The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

4 mins to read

NYDFS Part 500 Cybersecurity Regulation and Audit Approach

David Lehmann

Managing Director, Technology Audit & Advisory

Thomas Luick

Managing Director, Technology Risk & Resilience

Views
Larger Font
4 minutes to read

The New York Department of Financial Services (NYDFS), New York state’s financial services regulator, issued regulation 23 NYCRR Part 500 (Part 500) in March 2017. It was a landmark cybersecurity regulation intended to address the increasing frequency and sophistication of cyber threats targeting financial institutions. It established a comprehensive set of cybersecurity requirements designed to protect sensitive customer information and ensure the operational resilience of organizations regulated by the NYDFS.

Since its inception, Part 500 has evolved to reflect the dynamic cybersecurity risk landscape. A significant enhancement came into effect in November 2023 when the NYDFS introduced expanded requirements, including a mandate for independent cybersecurity audits for larger institutions classified as “Class A” companies. This shift marked a transition from a reliance on self-attestation management toward a model requiring independent validation of cybersecurity control effectiveness.

The role of independent cybersecurity audits

The purpose of the required cybersecurity audits is to periodically (ideally annually) evaluate and inform management of the design and effectiveness of cybersecurity controls. This then serves as a valuable tool to management as they make their annual compliance certification to the DFS.

More specifically, these audits:

  • Provide independent assurance over the effectiveness of cybersecurity programs.
  • Strengthen management’s confidence in regulatory compliance certifications.
  • Identify control gaps and vulnerabilities that require remediation.
  • Support board and executive oversight of cybersecurity risks.

Regulators have emphasized that cybersecurity audits should not be treated as a “check-the-box” exercise. We think that when properly executed, they function as a strategic tool to enhance risk management, inform investment decisions, and improve resilience against evolving threats. It is important to treat this as an audit and not as a compliance assessment, although the audit should inform management of potential compliance-related issues.

Central importance of the cybersecurity risk assessment

At the core of NYDFS Part 500 rule is the cybersecurity risk assessment, which serves as the foundation for both the cybersecurity program and the audit process. The regulation explicitly ties many requirements to the outcomes of the risk assessment, making it a primary driver of compliance and assurance activities.

The risk assessment is critical to the audit in several ways:

1. Defining audit scope and priorities

The risk assessment identifies the organization’s most significant threats, vulnerabilities, and critical assets. Auditors use these outputs to determine which systems, applications, and processes should be included in scope, ensuring the audit is focused on areas of highest risk. The risk assessment itself should also be subject to audit scrutiny.

2. Aligning the audit with the cybersecurity program

Because the cybersecurity program itself must be based on the risk assessment, the audit evaluates whether controls defined within the cyber program effectively address identified risks.

3. Enabling risk-based testing

We advise that a risk-based approach to audit execution is a leading practice in complying with the audit requirement. Areas identified as higher risk within management’s risk assessment should receive deeper, more detailed testing, while lower risk areas may be deprioritized. This ensures efficient use of audit resources and more meaningful insights.

4. Supporting development of a risk and control framework

Audit teams should develop a structured risk and control matrix (RCM) that includes risk assessment outputs, mapping identified risks and controls to NYDFS requirements. This ensures comprehensive coverage of both risk and compliance objectives.

5. Maintaining audit relevance in a changing environment

Periodic risk assessments should be conducted and updated at least annually for changes in business operations, technology, or threat conditions. This ensures that the audit remains aligned with the organization’s current risk profile and evolving cybersecurity landscape.

Failure to adequately incorporate the risk assessment into audit planning is identified as a common pitfall, leading to gaps in coverage and misalignment with management’s cybersecurity strategy.

6. Risk assessment assurance

The risk assessment itself should also be subject to audit scrutiny. An independent audit of the risk assessment provides assurance that cyber risks are accurately identified, evaluated, and prioritized. This helps ensure audit scope, testing, and NYDFS Part 500 compliance activities remain aligned with the organization’s current risk profile and cybersecurity strategy.

Key implementation and audit considerations

To maximize the value of the NYDFS Part 500 audit process, organizations should adopt a structured, risk-driven approach:

  • Define audit scope based on risk, prioritizing high-risk systems, processes, and data assets for detailed testing.
  • Establish clear criteria for material compliance, enabling consistent evaluation and categorization of audit findings. Develop a methodology for measuring, categorizing, and reporting audit findings that potentially represent material non-compliance with the regulation.
  • Ensure audit independence, either through internal audit functions with appropriate governance or independent external providers.
  • Align audit timing with regulatory certification, ideally completing audits prior to the annual April 15 submission to support management attestation.
  • Deliver clear, actionable reporting, focusing on high-risk findings, control effectiveness, and remediation priorities.

Strategic value beyond compliance

NYDFS Part 500 represents a comprehensive, risk-based approach to cybersecurity regulation in the financial services sector. Its evolution — particularly the introduction of independent audit requirements — reflects increasing expectations for accountability and assurance. The cybersecurity risk assessment is central to this framework, guiding both the design of the cybersecurity program and the execution of the audit.

Organizations that effectively leverage risk assessments to inform audit scope, testing, and reporting will not only meet regulatory expectations but also strengthen their ability to identify, mitigate, and respond to cyber threats. In doing so, they can move beyond compliance and position cybersecurity as a strategic enabler of trust, resilience, and long-term success.

For more information about Banking and Capital Markets, visit here.

 

Protiviti Director Lonzo Jackson contributed to this report.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Post

Authors

David Lehmann

By David Lehmann

Verified Expert at Protiviti

David is a Managing Director leading Protiviti’s Global Technology Risk & Internal Audit practice, bringing deep...

EXPERTISE

Thomas Luick

By Thomas Luick

Verified Expert at Protiviti

Tom is a Managing Director with more than 24 years of experience helping clients in the financial services industry...

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts