A Practice Note explaining the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500) which require state-licensed financial institutions to protect their information systems and the nonpublic information (NPI) that they store. This Note details compliance obligations for state-licensed financial institutions including required policies and procedures, risk assessment, and core cybersecurity program elements. It also discusses additional cybersecurity controls required under Part 500, such as encryption and monitoring, multi-factor authentication, reporting and certification requirements, and application to consumer credit reporting agencies under 23 NYCRR Part 201.