Financial Institutions Have a Looming Deadline for NYDFS 500.13 Compliance on Asset Management and Data Retention

By November 1, 2025, financial institutions operating in New York State will be required to comply with the New York Department of Financial Services (NYDFS)’s updated Section 500.13 rules surrounding asset management and data retention.

Certain organizations have only a few months to revamp their current IT asset management (ITAM) and data practices, put together new policies that comply with the legislation, and build the technology infrastructure that unifies asset data and reduces risk.

But when it can take enterprises several months to set up a successful ITAM program, Chief Information Security Officers and IT leaders are against the clock to do everything necessary to comply with NYDFS’s 500.13 statute.

Keep reading to learn:

• What these new rules entail
• The challenges they’ll put on financial institutions
• What can be done to get compliant

Understanding Section 500.13

The NYDFS supervises over 3,000 institutions that hold almost $10 trillion in assets. This statute applies to “Covered Entities,” any entity that is required to operate under a license, registration, or other authorization under New York's Banking Law, Insurance Law, or Financial Services Law.

That includes:

• State-chartered banks
• Private bankers
• Licensed lenders
• Mortgage companies
• Trust companies
• Service contract providers
• Insurance companies that do business in New York
• Non-U.S. banks licensed to operate in New York

Under Section 500.13, financial institutions must establish written policies and procedures within their cybersecurity program to ensure the creation and maintenance of a detailed and documented asset inventory of their information systems. These policies must track essential details for each asset as well as outline the frequency for updating and validating the asset inventory.

Additionally, there must be policies in place for the secure disposal of nonpublic information that is no longer necessary for business operations. The only exception is when retention is mandated by law or regulation or the data’s disposal is impractical due to the way the information is maintained.

While 500.13 will make significant improvements in protecting IT asset data and limiting cybersecurity threats, it’s going to require enterprises to do some heavy lifting to meet regulatory requirements.

Asset Management Under 500.13

All Covered Entities must create and maintain a complete and accurate asset inventory of their information systems throughout the entire life cycle of ownership (from the time or purchase through disposition).

These businesses will have to track key information for each asset, including but not limited to the asset’s:

• Owner
• Location
• Classification
• Dependencies
• Purchase date
• Provisioning date
• Data access rights
• Audit confirmations
• Disposal certification
• End of Life (EOL) date
• Technology deployed/versioning
• Warranty/support expiration date
• Data removal/retention/reassignment audit
• Monitoring audit history (incidents reported/remediations)

Data Disposal Under 500.13

When it comes to the data that IT organizations gather and retain, Covered Entities must demonstrate evidence of securely disposing of non-public information that they no longer need for business operations.

Unless specific laws or regulations require the organizations to retain information or the data’s disposal is unreasonably difficult, a Covered Entity must track key information for each asset.

This includes but is not limited to:

• EOL date
• Dependencies
• Audit confirmations
• Disposal certification
• Data removal/retention/reassignment audit

Failure to comply with these regulations results in heavy consequences.

Penalties for Noncompliance with NYDFS 500.13

$2 Million. $4.5 Million. $8 Million.

These are just some of the steep fines that the NYDFS has imposed on companies for noncompliance with cybersecurity and data retention regulations.

Under New York Banking Law, non-compliant organizations can be fined up to $2,500 for each day that violations persist. If the NYDFS determines that non-compliance is a pattern, that fine rises to up to $15,000 per day.

Remember that it takes months to develop comprehensive ITAM programs that provide full visibility into asset lifecycle data and adhere to regulation requirements. If a business is audited and found to be noncompliant with 500.13, it isn't an overnight fix. Even if that entity manages to become compliant in as little as six months, that still equates to at least $2.7 million in fines.

Larger enterprises may feel that the cost of those fines is still a less intensive and cheaper alternative to building out a compliant IT asset management and data protection program. But with increasingly tumultuous economies and more robust mandates for cost savings, spending any money on otherwise avoidable fines is unwise.

“We Use a CMBD. We’re Fine.”

It's no secret that a majority of enterprises use a configuration management database (CMBD) to store and organize data about their hardware and software assets. Unfortunately, a CMBD heavily relies on manual maintenance and are only accurate in the exact moment they're updated.

According to Forrester, although 82% of businesses agree that their CMBD is essential for their IT operations, 51% feel their CMBD data quality is poor. What’s more, 63% don’t trust their database to provide accurate, up-to-date information.

Especially in light of these new regulations and compliance deadlines, financial institutions need to enrich CMBDs with comprehensive IT asset management that support these strict requirements.

Ensure NYDFS 500.13 Compliance with Oomnitza

Oomnitza solves the headaches of NYDFS asset management and data retention compliance for financial services companies.

Our asset-centric approach to modern IT asset management puts the asset at the center of your universe and drives data integrity, automation, and compliance.

With Oomnitza, you can:

• Connect to any system with REST APIs and we offer 1,500+ out-of-the-box integration points with well-known systems.
• Aggregate, normalize, and enrich your data to ensure accuracy across systems.
• Automate changes to and from your systems to ensure integrity across your technology ecosystem and IT process lifecycle.
• Pull all that data into a unified dashboard with comprehensive visibility across the full asset lifecycle.
• Get a single source of truth, enabling IT to maximize technology investments and keep business performance at optimal levels.

The result? You get data integrity across your physical and digital business infrastructure that ensures total compliance with 500.13.

With clean and accurate technology asset data, you can enrich your CMDB and run seamless automations across your technology ecosystem with confidence. You'll always be NYDFS 500.13 audit-ready.
 

Schedule time to learn more about how our modern, asset-centric approach to ITAM can ensure your 500.13 compliance here.

This blog provides a high-level overview of some options and actions that may be necessary for enhancing your organization's cybersecurity practices in light of the updated amendments to 23 NYCRR Part 500. It is not intended to ensure compliance with all legal requirements or to cover every new amendment to the law.

For detailed information about the updated amendments, please visit: https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf