NY DFS 23 NYCRR 500 §500.13
Asset-management requirements for covered entities. Effective 2025-11-01.
Title 23 of the New York Codes, Rules and Regulations Part 500 ("23 NYCRR Part 500") is the New York State Department of Financial Services (DFS) Cybersecurity Regulation. It was originally enacted on and amended twice since: a first amendment in April 2020, and a Second Amendment promulgated on . The regulation page on the DFS Cybersecurity Resource Center is at dfs.ny.gov.
Section 500.13 ("Asset management and data retention requirements") was added by the Second Amendment. Subsection (a), the asset-inventory requirement that names a "support expiration date" as a tracked field, became effective on per the staggered transition schedule in §500.22. The regulation applies to "covered entities," defined in §500.1(e) as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law. This is broad: state-chartered banks, licensed lenders, insurance companies, money transmitters, virtual currency businesses, mortgage servicers, and others all sit inside it.
The clause that matters for lifecycle planners: §500.13(a)(1)(iv) lists "support expiration date" as a required field in the asset inventory. That phrase is verbatim from the regulation PDF on dfs.ny.gov, the most explicit end-of-vendor-support reference in any U.S. financial-services rule we are aware of.
The §500.13 text
"500.13 Asset management and data retention requirements.
(a) As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity's information systems. The asset inventory shall be maintained in accordance with written policies and procedures. At a minimum, such policies and procedures shall include:
(1) a method to track key information for each asset, including, as applicable, the following:
(i) owner;
(ii) location;
(iii) classification or sensitivity;
(iv) support expiration date; and
(v) recovery time objectives; and
(2) the frequency required to update and validate the covered entity's asset inventory."
23 NYCRR §500.13(a), Second Amendment to Part 500 (promulgated 2023-11-01; §500.13(a) compliance deadline 2025-11-01). DFS PDF.
Subsection (b) covers secure disposal of nonpublic information no longer needed for business purposes. It is not the lifecycle-planning hook; (a)(1)(iv) is. The full §500.13 text including (b) is in the PDF cited above.
Who is a covered entity
§500.1(e) defines the term verbatim:
"Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies."
23 NYCRR §500.1(e). DFS PDF.
Summarized from §500.1: limited exemptions in §500.19 reduce specific obligations for very small or low-risk covered entities (for example, fewer than 20 employees and under $7.5M in revenue from New York operations), but §500.13's asset-inventory requirement applies broadly. There is also a "Class A company" tier (§500.1(d)) with additional obligations, defined as covered entities with at least $20M in gross annual revenue and either over 2,000 employees or over $1B in gross annual revenue across affiliates. Verify your entity's specific obligations against the regulation text and DFS guidance.
What this means operationally
§500.13(a)(1)(iv) puts the words "support expiration date" into the regulation text. It does not enumerate compensating controls, prescribe vendor-specific lifecycle terminology, or define what counts as "support" (vendor-supported software updates? security patches only? hardware RMA?). DFS does not answer those questions in §500.13 and we will not invent answers. Your CISO and counsel reconcile the field in your asset inventory to the milestones each vendor publishes. Use our lifecycle terminology reference for the cross-vendor decoder, and the 12-month and 24-month calendar feeds to populate the "support expiration date" column for the network gear in scope. The broader compliance terminology lives at compliance and insurance impact.
Sources
- 23 NYCRR Part 500, Second Amendment text (DFS PDF, 2023-11-01) (primary)
- DFS Cybersecurity Resource Center: 23 NYCRR Part 500 overview, FAQs, implementation timeline (primary)
- Hogan Lovells: NYDFS final set of cybersecurity requirements under amended Part 500 take effect November 1, 2025 (supporting context, not primary)
Last reviewed .