The email hits your inbox on a Wednesday morning. Your MSP client—a regional broker-dealer—is facing a formal New York Department of Financial Services (NYDFS) examination in 45 days. The examiner has provided their standard document request list. Right there in the middle is a demand for complete documentation of the organization's cybersecurity awareness training program.

You know the client's staff clicked through the modules. Finding the actual evidence is another story. You are looking at hours of manual data extraction just to build a cohesive report for the auditor. The stakes are real. Missing documentation during an examination leads directly to a failed compliance certification. A failure means regulatory fines, public consent orders, and permanent reputational damage for your client.

This post covers what NYDFS Part 500 requires for security awareness training documentation, what examiners look for when they ask for it, and what most SAT platforms don't give you by default.

What NYDFS Part 500 requires for security awareness training

The New York Department of Financial Services is precise about training requirements and who must oversee the process. Under 23 NYCRR §500.4, every covered entity must designate a Chief Information Security Officer (CISO) responsible for overseeing and implementing the cybersecurity program. The CISO files an annual written certification under §500.17(b), making training documentation a personal accountability matter for the CISO.

Scope: The mandate covers all personnel at NY-regulated financial institutions. This includes banks, insurance companies, hedge funds, fintechs, broker-dealers, and similar entities licensed by NYDFS. The exact covered entity definition is documented in §500.1. If the individual works for the covered entity, they must be trained.

Citation: 23 NYCRR Part 500, specifically §500.14 (Training and Monitoring). Within that section, §500.14(a)(3) covers cybersecurity awareness training specifically.

The 2023 NYDFS amendments significantly strengthened Part 500. They added new requirements around multi-factor authentication, CISO independence, ransomware reporting, and broader incident notification. The amendments also tightened the cybersecurity awareness training requirement and added explicit social engineering training language under §500.14(a)(3).

Frequency: Annual training for all personnel is the baseline requirement.

Content requirements: The training must cover cybersecurity awareness, explicitly including social engineering tactics (per the 2023 amendment). The regulation also requires that this training be tied directly to the organization's specific cybersecurity program. Generic compliance videos do not satisfy the standard.

Retention: Organizations must retain compliance records under Part 500 for a minimum of 5 years.

Additional requirement: The regulation mandates board oversight of the cybersecurity program. The CISO annual certification (§500.17(b)) means the Chief Information Security Officer must personally attest to compliance, including the training requirements.

Examiner: New York State Department of Financial Services.

What auditors actually look for

When an examiner from the New York State Department of Financial Services evaluates your training program, they test the operational reality of your controls. They do not want verbal assurances. They execute a formal review protocol. They want hard evidence that the training program functions exactly as attested by the CISO.

First, they look for program evidence. This means reviewing the written cybersecurity program. They cross-reference the curriculum to ensure it directly aligns with the organization's specific policies. Because of the 2023 amendment, examiners actively look for explicit content mapping to social engineering threats. If your program lacks dedicated social engineering modules, it fails the examination.

Next, they demand per-person records. The examiner will request a directory roster of all personnel at the regulated institution. They will sample this list and demand corresponding training logs. They look for strict scope coverage. If a new analyst was hired in March, the examiner wants the exact date their training was completed to verify it aligns with internal onboarding policies.

They also demand cadence evidence. Assessors want to see a timeline proving the annual training baseline was met for every user. They look for timestamps.

Finally, examiners evaluate the response to identified issues. If an employee consistently falls for simulated phishing attacks, the examiner wants to see the documented follow-up. Recording the click is not enough. They want evidence of the specific remedial training triggered by that failure, proving the program actively mitigates human risk within the financial institution.

What most SAT platforms give you by default

The security awareness training category produces massive amounts of data. It rarely produces evidence. Most SAT platforms function simply as campaign distribution tools.

They output raw completion reports. They show per-campaign phishing results, isolating exactly who failed a test on a given Thursday. They build dashboard dials with aggregate percentages showing high-level organizational risk.

For an MSP operator trying to satisfy a NYDFS examiner, this is raw material. It requires significant manual labor to become actual evidence.

What these platforms typically do not produce in an audit-ready format are framework-mapped reports specific to NYDFS Part 500. They lack evidence bundles that neatly combine initial annual training, ongoing social engineering simulation performance, and policy acknowledgements into a single user timeline. They do not generate date-range-scoped exports that cleanly match the specific examination window.

Instead, you get manual reconciliation. You export directory rosters. You export training logs. You spend hours building campaigns, chasing learners, pulling reports. You manually reconcile the workforce against completions to prove no personnel were missed. You filter out activity that occurred outside the audit period.

The platform logs the activity. You carry the burden of proving compliance.

The final output is a fragile spreadsheet. It lacks the integrity-hashed PDF artifacts examiners prefer to verify the data hasn't been modified post-export. The software captures the clicks, but it leaves the compliance documentation problem entirely unsolved.

Your NYDFS Part 500 training documentation checklist

To get through a NYDFS Part 500 examination without wasting days on manual data formatting, your evidence must be precise and organized. Build your documentation bundle using this scannable checklist.

• Per-person records:

• 
  

• Full legal name and employee ID

• Organizational role or title

• Official hire date

• Training completions with exact dates and timestamps

• Content mapping (explicitly tying modules to social engineering and the organization's specific cybersecurity program)

• Information security program acknowledgements with formal signature dates

• Refresher evidence (timestamps for the annual training baseline)

• Response to identified needs (remedial training dates triggered by simulation failures)

• Program-level artifacts:

• 
  

• Written cybersecurity policy approved by the board

• Scope statement clearly defining all personnel at the covered entity

• Complete curriculum overview mapping back to 23 NYCRR Part 500 §500.14(a)(3)

• Audit protocol compliance evidence proving delivery aligns with the CISO's annual certification (§500.17(b))

• Retention:

• 
  

• Maintain all listed records for a minimum of 5 years as required for compliance records under Part 500. Records must be securely stored and readily accessible for the NYDFS examiner.

Modern managed SAT platforms can generate this documentation automatically. Kinds, for example, produces NYDFS Part 500-mapped PDF reports scoped by date range and workforce selection, with SHA-256 integrity hashes embedded in the footer so examiners can verify the report hasn't been modified. But whatever platform you use, the checklist above is what your documentation should include. If your current platform can't produce this without manual reconciliation, you have a documentation problem, not a training problem.

Related frameworks

Organizations subject to NYDFS Part 500 often also deal with GLBA/FTC Safeguards Rule and cyber insurance. For related guidance, see our posts on those frameworks.

This post describes general patterns in NYDFS Part 500 training documentation. It is not legal or compliance advice. Confirm specific obligations with your compliance advisor, assessor, or relevant regulator.