Blog
Explore All Blog Posts

Are you ready for the new asset management and data retention requirements for financial services companies effective Nov 1, 2025?

By Nov 1, 2025, financial institutions must comply with requirement 500.13 on asset management and data retention.

 

By November 1, 2025, financial institutions are required to comply with New York Department of Financial Services (NYDFS)’s legislation (Section 500.13) concerning asset management and data retention.

This involves establishing written policies and procedures within their cybersecurity program to ensure the creation and maintenance of a detailed and documented asset inventory of their information systems. This inventory must track essential details for each asset. The policies must also outline the frequency for updating and validating the asset inventory. Additionally, there must be policies in place for the secure disposal of nonpublic information that is no longer necessary for business operations, unless retention is mandated by law or regulation, or disposal is impractical due to the way the information is maintained.

Asset Management

NYDFS requires “Covered Entities”, any entity that is required to operate under a license, registration, or other authorization under New York's Banking Law, Insurance Law, or Financial Services Law, must create and maintain a complete and accurate asset inventory of their information systems throughout the entire life cycle of ownership. This requires a Covered Entity to track key information for each asset, to include but not limited to:

  • Purchase date
  • Provisioning date
  • Technology deployed/versioning
  • Owner
  • Location of asset
  • Classification of asset
  • Data Access rights
  • Monitoring audit history (incidents reported/remediations)
  • Warranty/Support expiration date
  • End of Life (EOL) date
  • Dependencies
  • Data removal/retention/reassignment audit
  • Disposal certification
  • Audit confirmations

Data Disposal

NYDFS requires “Covered Entities” to have demonstrated evidence of securely disposing of non-public information that is no longer needed for business operations. This includes information that is not required to be retained by law or regulation, and for which targeted disposal is not unreasonably difficult. This requires a Covered Entity to track key information for each asset, to include but not limited to:

  • EOL date
  • Dependencies
  • Data removal/retention/reassignment audit
  • Disposal certification
  • Audit confirmations

Ensure NYDFS 500.13 Compliance with Oomnitza

We solve the headaches of financial services companies having to comply with NYDFS’s asset management and data retention requirements with a Modern IT Asset Management (ITAM) solution pulling in data from all of your systems. We then aggregate, normalize, and improve the data.

Oomnitza’s modern, asset-centric, approach to ITAM puts the asset at the center of your universe and drives data integrity, automation, and compliance with an asset-first approach.

How we do it:

  • We connect to any system with REST APIs and currently offer 2,000+ out-of-the-box integration points with well-known systems.
  • We aggregate, normalize, and enrich your data to ensure accuracy across systems.
  • We listen and automate changes to and from the asset systems to ensure integrity across your technology ecosystem and IT process lifecycle.
  • We pull all that data into a unified dashboard with comprehensive visibility across the full asset lifecycle.
  • We give you a single source of truth, enabling IT to maximize technology investments and keep business performance at optimal levels.

The result?

Data integrity across your business infrastructure (physical and digital) that ensures compliance with 500.13.

You get clean and accurate technology asset data. You can then enrich your CMDB with this clean, trustworthy data and can run seamless automations across your technology ecosystem with confidence and you'll always be NYDFS 500.13 audit-ready.


Schedule time to learn more about how our modern, asset-centric, approach to ITAM can ensure your 500.13 compliance here.


This blog provides a high-level overview of some options and actions that may be necessary for enhancing your organization's cybersecurity practices in light of the updated amendments to 23 NYCRR Part 500. It is not intended to ensure compliance with all legal requirements or to cover every new amendment to the law. For detailed information about the updated amendments, please visit:
https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.

 

Recent Related Stories

How Normalizing and Consolidating Asset Data into a Modern Technology Management Solution Improves Compliance Vulnerabilities
Summary: With a workforce of over 3,500 employees, a large fitness technology company manages an extensive device inventory exceeding 15,000…
Read More
The Hidden Costs of Unreturned Equipment: How Modern Asset Management Can Save Your Budget
Summary: Organizations struggle with the return of equipment from departing employees, leading to financial losses and logistical issues. Implementing a…
Read More
Comparing a CMDB and a Modern ITAM Technology Database (TDB)
As discussed in the blog “Comparing Modern IT Asset Management (ITAM) and ITSM/CMDB", Modern ITAM and ITSM solutions were designed…
Read More