What is NYDFS Part 500 and who is in scope?

NYDFS 23 NYCRR 500 (Part 500) is the New York Department of Financial Services' cybersecurity regulation covering banks, trust companies, insurance companies, mortgage bankers/brokers, money services businesses and other entities licensed by NYDFS to operate in New York. The regulation took effect in 2017 with subsequent amendments in 2023 (the 'Second Amendment') that materially raised the bar on awareness training, MFA and incident reporting. Part 500 applies regardless of where the entity is headquartered - out-of-state firms with NY operations are covered.

What did the 2023 Second Amendment change for awareness training?

Section 500.14(a)(3) was substantially expanded. The original Part 500 required cybersecurity training; the 2023 amendment added explicit language requiring 'cybersecurity awareness training, including for phishing attacks' to be provided at least annually. NYDFS made the phishing-attack-training requirement explicit rather than implicit. The amendment also raised expectations on training cadence (continuous reinforcement is increasingly the practical standard) and on documented effectiveness measurement.

Does NYDFS Part 500 explicitly require phishing simulation?

Section 500.14(a)(3) does not name 'phishing simulation' as a discrete control mechanism, but the requirement to provide 'cybersecurity awareness training, including for phishing attacks' has been interpreted by NYDFS examiners and NY-licensed compliance counsel to mean that training programs must meaningfully address phishing recognition behavior, not just deliver content. Phishing simulation is the standard mechanism that produces measurable evidence of phishing-attack training. Examiners have cited absence of phishing testing as a finding in post-2023 examinations.

How often must covered entities conduct training?

Section 500.14(a)(3) sets the floor at annually for all personnel with access to information systems. The amended language and NYDFS's increasing emphasis on continuous risk monitoring (Section 500.5 vulnerability assessments, Section 500.16 incident response) effectively raise the operational standard above the annual floor. The defensible posture is monthly phishing simulations with quarterly trend reporting plus an annual comprehensive training module covering policy, incident reporting (Section 500.17), and role-based content for privileged users.

How does NYDFS Part 500 layer with FFIEC examination for banks?

Banks operating in New York are typically dual-supervised: NYDFS for state licensing and FFIEC member agency (OCC, FDIC, NCUA, Federal Reserve) for federal supervision. Both frameworks have awareness training expectations; the substantive program design is the same; the evidence packets are sliced for each examination. NYDFS examiners have historically been more aggressive on annual-training-completion documentation; FFIEC examiners are more demanding on YOY trend analysis. Programs designed to satisfy NYDFS Part 500 typically satisfy FFIEC; the reverse is not always true because FFIEC's evidence-quality bar is higher in some areas.

What evidence does an NYDFS examination workpaper request include?

The standard workpaper request from NYDFS includes: (1) the cybersecurity policy required by Section 500.3 with explicit awareness-training section; (2) per-user training delivery records for the past calendar year; (3) phishing simulation campaign records demonstrating phishing-attack training under 500.14(a)(3); (4) Section 500.17 incident reporting evidence (any reportable cybersecurity events filed via NYDFS Cybersecurity Portal); (5) the certification submitted under Section 500.17(b) by April 15 each year confirming compliance. Programs that present documentation aligned to specific 500.x section numbers consistently complete examinations faster than programs with unsorted evidence.

NYDFS Part 500 Phishing Training Guide

NYDFS Part 500 Phishing Awareness Training Requirements (2026)

By The Bait & Phish Team
Compliance, NYDFS, Banking, Insurance

NYDFS Part 500 (23 NYCRR 500) is the cybersecurity regulation governing banks, insurance companies, money services businesses and other entities licensed by the New York Department of Financial Services. The 2023 Second Amendment to Part 500 was the most consequential update since the regulation took effect in 2017 - and the awareness-training section (500.14) was one of the most materially changed parts of the amendment. The shift: phishing-attack training moved from implicit to explicit requirement, and the operational standard around continuous testing rose meaningfully.

This post translates the NYDFS Part 500 awareness-training requirements into a working phishing simulation program: where the prescriptive language sits, what the 2023 amendment changed specifically, what evidence NYDFS examiners want, how the requirements layer with FFIEC for dual-supervised banks and how to satisfy 500.14(a)(3) without building a separate program from scratch.

Who is in scope

Part 500 applies to any entity licensed by NYDFS to operate in New York. The covered entity list:

State-chartered banks, trust companies and savings & loans
Foreign bank branches operating under New York licensing
Insurance companies, agents, brokers and adjusters
Mortgage bankers and brokers
Money services businesses (money transmitters, check cashers, virtual currency businesses under BitLicense)
Premium finance companies
Charitable foundations licensed by NYDFS

Importantly, Part 500 applies regardless of where the entity is headquartered. An out-of-state insurance company with NY operations is in scope; an out-of-state bank with a NY branch is in scope. The geographic reach is broader than most state-level cybersecurity regulations.

Section 500.14(a)(3): the awareness training requirement

The original Part 500 (effective 2017) required general cybersecurity training. The 2023 Second Amendment expanded the language to explicitly require "cybersecurity awareness training, including for phishing attacks" at least annually. The change matters because:

"Including for phishing attacks" makes phishing-specific training a named requirement rather than implied.
The amendment language signals NYDFS's view that generic cybersecurity training without phishing-specific content does not satisfy the regulation.
NYDFS examiners post-2023 have cited absence of phishing testing as a finding even when general cybersecurity training is documented.

The implication: covered entities cannot satisfy 500.14(a)(3) with a 30-minute annual cybersecurity video. The training must meaningfully address phishing recognition behavior, and the practical mechanism for doing that is phishing simulation paired with auto-assigned remediation training.

The other Part 500 sections that touch awareness training

Part 500 has several sections that interact with the awareness-training program design:

Section 500.2 - requires a cybersecurity program; awareness training is one of the program components.
Section 500.3 - requires a written cybersecurity policy approved by the senior officer or Board. The policy must explicitly cover awareness training.
Section 500.5 - vulnerability assessments. Phishing simulation results increasingly inform the assessment.
Section 500.14(a)(3) - the awareness training section itself.
Section 500.16 - incident response plan. Awareness training feeds reporting behavior, which feeds incident response.
Section 500.17 - notification of cybersecurity events. Annual certification by April 15. Awareness program effectiveness is implicit in the certification.

The annual certification: Section 500.17(b)

Each year by April 15, the senior officer of a covered entity must file a Notice of Compliance certification (or a Notice of Acknowledgement of Areas of Improvement, if not fully compliant) via the NYDFS Cybersecurity Portal. The certification is not the evidence; it is the senior officer's attestation to NYDFS that the entity has been compliant for the prior calendar year. The supporting evidence (training records, phishing simulation results, policy documentation) lives in the entity's records and is examined on the next NYDFS examination.

The implication for awareness training program design: maintain calendar-year aligned evidence. The fiscal-year-aligned reporting some institutions use for SOC 2 or ISO 27001 needs a parallel calendar-year cut for NYDFS.

How NYDFS Part 500 layers with neighboring frameworks

For dual-supervised institutions or multi-framework compliance programs:

vs. FFIEC - banks operating in NY are typically dual-supervised. Both have awareness training expectations; the substantive program design is the same; evidence packets are sliced for each examination. NYDFS examiners are historically more aggressive on annual-training-completion documentation; FFIEC examiners more demanding on YOY trend analysis.
vs. SOC 2 - many NY-licensed entities also pursue SOC 2 for their service organization controls. SOC 2 evidence (policy, completion records, effectiveness measurement) substantively reuses for NYDFS. NYDFS adds the calendar-year cut and the explicit phishing-attack-training language.
vs. GDPR - for NY-licensed entities with EU customers, both apply. GDPR is data-protection-driven; NYDFS is sector-supervisory. Awareness training evidence is largely interchangeable; the audit posture differs.
vs. cyber insurance underwriting - many NY-licensed entities maintain cyber insurance. Underwriters in 2026 explicitly ask about Part 500 compliance posture; the awareness-training evidence package serves both NYDFS examination and cyber-insurance renewal.

Common NYDFS examination findings on awareness training

Patterns that show up in post-2023-amendment NYDFS examination reports:

Annual cybersecurity video documented but no phishing-specific testing - direct 500.14(a)(3) finding under amended language.
Cybersecurity policy not explicitly approved at senior officer or Board level - 500.3 finding affecting the entire program.
Training delivery records but no calendar-year cut - friction during certification preparation.
Phishing simulation results exist but only cover the prior 90 days - operational immaturity finding.
Section 500.17(b) certification filed without underlying evidence to support it on subsequent examination - escalation risk.
Privileged-user role-based training not differentiated - finding under 500.14(a)(3) read against 500.10 (CISO and security personnel).

The practical program shape that satisfies NYDFS Part 500

For a typical NY-licensed financial-services entity:

Calendar-year aligned evidence cycle - all training and simulation evidence indexed to calendar year for the April 15 certification
Monthly phishing simulation with multi-channel coverage (email + SMS + voice)
Auto-assigned remediation training tied to lure category
Quarterly trend reports with click-rate, training completion, threshold-exceedance documentation
Annual comprehensive training module covering Part 500 program elements (incident reporting via Section 500.17, policy under 500.3, role-based content for privileged users)
Section-aligned workpaper packet ready for NYDFS examination at any time (annual examination cycle is the norm)

Where Bait & Phish fits

Bait & Phish is built for the operational profile NYDFS examiners look for: continuous monthly phishing simulation across email, SMS and voice; auto-assigned remediation training; calendar-year-aligned trend reports exportable to PDF; per-user completion records for the Section 500.17(b) certification. The 15+ years of operating history matters - NY-licensed entities under examination value vendors with track-record evidence over newer entrants. Start a 25-user free trial to validate the platform fits your Part 500 program design, or talk to us about an evidence walkthrough mapped to 500.x section numbers.

This post is informational and does not constitute compliance, legal or examination advice. Specific NYDFS Part 500 compliance scoping, Section 500.17(b) certification preparation, and examination readiness are organization-specific - consult your NY-licensed counsel or compliance advisor for tailored guidance.

See also: Compliance Phishing Requirements Comparison for cross-framework evidence overlap, FFIEC for federal banking supervision for the dual-supervised-bank context, and financial services phishing awareness for the broader vertical-level deep-dive.

Related compliance guides

08may