NYDFS Cybersecurity

NYDFS Annual Certification of Compliance (23 NYCRR 500.17)

The short version

The NYDFS Cybersecurity Regulation requires a covered entity to make an annual written submission to the Department about its compliance. After the 2023 amendments, 23 NYCRR 500.17(b) gives two forms: a Certification of Material Compliance, stating the entity materially complied with Part 500 during the prior year, or a written Acknowledgment that it did not fully comply, identifying the gaps and including a remediation plan. The submission is signed by the highest-ranking executive and the Chief Information Security Officer, and it must be supported by evidence, not just signed.

Part 500 ends each year with a signature. The annual submission to the Department of Financial Services is where a covered entity states, in writing and at the top of the house, whether its cybersecurity program met the regulation. The 2023 amendments changed what that submission looks like and who signs it. This guide covers what 500.17(b) requires, the two forms it now takes, who signs, the evidence behind it, and where it goes wrong.

What 500.17(b) requires

Section 500.17(b) requires a covered entity to submit, by 15 April each year, a written statement covering the prior calendar year, filed electronically through the Department's online cybersecurity portal. Before the 2023 amendments this was a single certification of compliance. The amendments replaced it with a choice of two submissions, which made the annual filing more honest: an entity that was not in full compliance is no longer forced to either certify falsely or say nothing.

The two forms of submission

SubmissionWhen it applies
Certification of Material ComplianceThe entity materially complied with the requirements of Part 500 during the prior year. The certification is based on data and documentation sufficient to support it.
Acknowledgment of non-complianceThe entity did not materially comply. It identifies the sections it did not meet and provides a remediation plan with a timeline.

Who signs

The 2023 amendments changed the signatories. The annual submission must be signed by the highest-ranking executive and the Chief Information Security Officer. Putting both signatures on the filing pushes accountability up to the top of the organization and onto the officer responsible for the program, rather than leaving it with a compliance administrator.

The evidence behind it

A certification is only as good as what supports it. Section 500.17(b) requires the certification to rest on data and documentation sufficient to demonstrate material compliance, and the entity must retain that supporting material for examination. In practice this means the certification sits on top of the rest of Part 500: a current risk assessment, the program and policies, the access and encryption controls, training, and the testing that shows the controls operate. The annual filing is the visible top of that stack.

How to approach it

Step 1: Assess material compliance across Part 500

Review the program against each requirement of Part 500 for the prior year, drawing on the risk assessment and control testing.

Step 2: Choose the right submission

Determine whether the entity materially complied, and so whether to certify or to file an acknowledgment with a remediation plan.

Step 3: Assemble the supporting evidence

Gather the data and documentation sufficient to support the certification, and retain it for examination.

Step 4: Obtain both signatures

Have the highest-ranking executive and the CISO review and sign the submission.

Step 5: File by the deadline and remediate any gaps

Submit on time, and where an acknowledgment was filed, execute the remediation plan.

Where it goes wrong

The annual certification is the signed top of a Part 500 program, only as strong as the controls and evidence beneath it. For the wider regulation, see the NYDFS cybersecurity compliance guide and the NYDFS glossary; for the requirement the program is built around, see the NYDFS risk assessment guide.

Primary sources

Common questions

What does 23 NYCRR 500.17(b) require?
An annual written submission to the Department of Financial Services, due by 15 April each year and filed through the Department's cybersecurity portal, covering the prior calendar year. After the 2023 amendments it takes one of two forms: a Certification of Material Compliance with Part 500, or a written Acknowledgment that the entity did not materially comply, identifying the gaps and providing a remediation plan.
Who signs the NYDFS annual certification?
After the 2023 amendments, the highest-ranking executive and the Chief Information Security Officer both sign. Requiring both signatures pushes accountability to the top of the organization and onto the officer responsible for the cybersecurity program.
What is the difference between certifying and acknowledging?
An entity files a Certification of Material Compliance if it materially complied with Part 500 during the prior year. If it did not, it files a written Acknowledgment that identifies the sections it did not meet and includes a remediation plan with a timeline. The two-option structure came in with the 2023 amendments.
What evidence supports the certification?
Section 500.17(b) requires the certification to rest on data and documentation sufficient to demonstrate material compliance, which the entity must retain for examination. In practice that means a current risk assessment, the program and policies, the technical controls, training, and the testing that shows the controls operate.
From the team behind this guide

A certification your executives can sign

Compliance Command Center assembles the evidence behind the NYDFS annual submission, tests material compliance across Part 500, and produces the supporting documentation the rule requires you to retain. Practitioners build it, with a human reviewing every deliverable, so the executive and the CISO sign on a defensible basis.

See Compliance Command Center Talk to a Practitioner