NYDFS 23 NYCRR 500 Compliance
NYDFS Part 500 compliance
automated at merge time.
3,000+ financial institutions regulated by NYDFS must maintain cybersecurity programs with documented change controls. MergeWhy captures that evidence from every pull request.
Final compliance tranche effective November 2025. All requirements now mandatory.
3,000+
institutions regulated
$10T
in assets covered
15
controls mapped
Nov 2025
deadline
Capabilities
Built for
financial services CISOs.
Cybersecurity Program Documentation
Automated evidence that your SDLC meets Part 500 requirements. Every code change generates a Decision Evidence Record documenting procedures, approvals, and testing.
Asset Inventory Integration
Link code changes to systems and data assets in your inventory. Trace which regulated systems were modified, by whom, and with what authorization.
MFA Verification
Evidence from cloud integrations proving MFA is enforced on development access. AWS IAM, Azure Entra ID, and GCP organizational policies checked automatically.
CISO Board Reporting Evidence
Compliance trend reports and evidence packages formatted for board presentations. Show your board of directors that cybersecurity controls are operating effectively.
Incident Response Readiness
Immutable audit trail for post-incident forensic review. SHA-256 sealed evidence proves what changed, when, and who approved it — before the incident occurred.
Continuous Monitoring
Real-time compliance scoring with drift detection and gap alerts. Know immediately when a change lacks required evidence instead of discovering it during an examination.
How It Works
Three steps to audit-ready evidence.
Install the GitHub App
Connect your repositories in under 2 minutes. MergeWhy begins capturing change management evidence from your very first PR.
Merge as usual
Developers change nothing about their workflow. Every merge generates a Decision Evidence Record with approvals, reviews, and test results.
Export for examiners
Generate compliance bundles mapped to Part 500 sections. Evidence sealed with SHA-256 for integrity verification during DFS examinations.
Coverage
Key Part 500 sections covered.
500.03 — Cybersecurity Policy
Written policy requirements
Documented policies governing change management, access controls, and system security
500.06 — Audit Trail
Activity logging
Systems designed to reconstruct material financial transactions and detect unauthorized access
500.07 — Access Privileges
Least privilege enforcement
Limit access to information systems to authorized individuals with periodic review
500.14 — Monitoring
Continuous surveillance
Implement risk-based monitoring of authorized user activity and detect unauthorized access
Get Started
NYDFS compliance
without the compliance tax.
See how MergeWhy automates Part 500 change control evidence. Continuous monitoring included. Free for your first repository.