NYDFS 23 NYCRR 500

23 NYCRR 500 is the New York Department of Financial Services' cybersecurity regulation. It requires covered entities to maintain a cybersecurity program with audit trails, access controls, encryption of nonpublic information, and continuous monitoring.

When AI systems process or can access nonpublic information, those requirements extend to them — the audit-trail (500.06), access (500.07), encryption (500.15), and monitoring (500.14) obligations apply to the AI request path too.