Are you ready for the new asset management and data retention requirements for financial services companies effective Nov 1, 2025?
By: Parker WilliamsBy Nov 1, 2025, financial institutions must comply with requirement 500.13 on asset management and data retention.
By November 1, 2025, financial institutions are required to comply with New York Department of Financial Services (NYDFS)’s legislation (Section 500.13) concerning asset management and data retention.
This involves establishing written policies and procedures within their cybersecurity program to ensure the creation and maintenance of a detailed and documented asset inventory of their information systems. This inventory must track essential details for each asset. The policies must also outline the frequency for updating and validating the asset inventory. Additionally, there must be policies in place for the secure disposal of nonpublic information that is no longer necessary for business operations, unless retention is mandated by law or regulation, or disposal is impractical due to the way the information is maintained.
Asset Management
NYDFS requires “Covered Entities”, any entity that is required to operate under a license, registration, or other authorization under New York's Banking Law, Insurance Law, or Financial Services Law, must create and maintain a complete and accurate asset inventory of their information systems throughout the entire life cycle of ownership. This requires a Covered Entity to track key information for each asset, to include but not limited to:
- Purchase date
- Provisioning date
- Technology deployed/versioning
- Owner
- Location of asset
- Classification of asset
- Data Access rights
- Monitoring audit history (incidents reported/remediations)
- Warranty/Support expiration date
- End of Life (EOL) date
- Dependencies
- Data removal/retention/reassignment audit
- Disposal certification
- Audit confirmations
Data Disposal
NYDFS requires “Covered Entities” to have demonstrated evidence of securely disposing of non-public information that is no longer needed for business operations. This includes information that is not required to be retained by law or regulation, and for which targeted disposal is not unreasonably difficult. This requires a Covered Entity to track key information for each asset, to include but not limited to:
- EOL date
- Dependencies
- Data removal/retention/reassignment audit
- Disposal certification
- Audit confirmations
Ensure NYDFS 500.13 Compliance with Oomnitza
We solve the headaches of financial services companies having to comply with NYDFS’s asset management and data retention requirements with a Modern IT Asset Management (ITAM) solution pulling in data from all of your systems. We then aggregate, normalize, and improve the data.
Oomnitza’s modern, asset-centric, approach to ITAM puts the asset at the center of your universe and drives data integrity, automation, and compliance with an asset-first approach.
How we do it:
- We connect to any system with REST APIs and currently offer 2,000+ out-of-the-box integration points with well-known systems.
- We aggregate, normalize, and enrich your data to ensure accuracy across systems.
- We listen and automate changes to and from the asset systems to ensure integrity across your technology ecosystem and IT process lifecycle.
- We pull all that data into a unified dashboard with comprehensive visibility across the full asset lifecycle.
- We give you a single source of truth, enabling IT to maximize technology investments and keep business performance at optimal levels.
The result?
Data integrity across your business infrastructure (physical and digital) that ensures compliance with 500.13.
You get clean and accurate technology asset data. You can then enrich your CMDB with this clean, trustworthy data and can run seamless automations across your technology ecosystem with confidence and you'll always be NYDFS 500.13 audit-ready.
Schedule time to learn more about how our modern, asset-centric, approach to ITAM can ensure your 500.13 compliance here.
This blog provides a high-level overview of some options and actions that may be necessary for enhancing your organization's cybersecurity practices in light of the updated amendments to 23 NYCRR Part 500. It is not intended to ensure compliance with all legal requirements or to cover every new amendment to the law. For detailed information about the updated amendments, please visit:
https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.