The NYDFS Cybersecurity Regulation requires a covered entity to make an annual written submission to the Department about its compliance. After the 2023 amendments, 23 NYCRR 500.17(b) gives two forms: a Certification of Material Compliance, stating the entity materially complied with Part 500 during the prior year, or a written Acknowledgment that it did not fully comply, identifying the gaps and including a remediation plan. The submission is signed by the highest-ranking executive and the Chief Information Security Officer, and it must be supported by evidence, not just signed.
Part 500 ends each year with a signature. The annual submission to the Department of Financial Services is where a covered entity states, in writing and at the top of the house, whether its cybersecurity program met the regulation. The 2023 amendments changed what that submission looks like and who signs it. This guide covers what 500.17(b) requires, the two forms it now takes, who signs, the evidence behind it, and where it goes wrong.
What 500.17(b) requires
Section 500.17(b) requires a covered entity to submit, by 15 April each year, a written statement covering the prior calendar year, filed electronically through the Department's online cybersecurity portal. Before the 2023 amendments this was a single certification of compliance. The amendments replaced it with a choice of two submissions, which made the annual filing more honest: an entity that was not in full compliance is no longer forced to either certify falsely or say nothing.
The two forms of submission
| Submission | When it applies |
|---|---|
| Certification of Material Compliance | The entity materially complied with the requirements of Part 500 during the prior year. The certification is based on data and documentation sufficient to support it. |
| Acknowledgment of non-compliance | The entity did not materially comply. It identifies the sections it did not meet and provides a remediation plan with a timeline. |
Who signs
The 2023 amendments changed the signatories. The annual submission must be signed by the highest-ranking executive and the Chief Information Security Officer. Putting both signatures on the filing pushes accountability up to the top of the organization and onto the officer responsible for the program, rather than leaving it with a compliance administrator.
The evidence behind it
A certification is only as good as what supports it. Section 500.17(b) requires the certification to rest on data and documentation sufficient to demonstrate material compliance, and the entity must retain that supporting material for examination. In practice this means the certification sits on top of the rest of Part 500: a current risk assessment, the program and policies, the access and encryption controls, training, and the testing that shows the controls operate. The annual filing is the visible top of that stack.
How to approach it
Step 1: Assess material compliance across Part 500
Review the program against each requirement of Part 500 for the prior year, drawing on the risk assessment and control testing.
Step 2: Choose the right submission
Determine whether the entity materially complied, and so whether to certify or to file an acknowledgment with a remediation plan.
Step 3: Assemble the supporting evidence
Gather the data and documentation sufficient to support the certification, and retain it for examination.
Step 4: Obtain both signatures
Have the highest-ranking executive and the CISO review and sign the submission.
Step 5: File by the deadline and remediate any gaps
Submit on time, and where an acknowledgment was filed, execute the remediation plan.
Where it goes wrong
- Certifying without evidence. The submission is signed but there is no data and documentation sufficient to support material compliance.
- Certifying when an acknowledgment was the honest filing. Known gaps existed, but the entity certified rather than acknowledging and remediating.
- Wrong signatories. The filing is signed below the level the amended rule requires, missing the executive or the CISO.
The annual certification is the signed top of a Part 500 program, only as strong as the controls and evidence beneath it. For the wider regulation, see the NYDFS cybersecurity compliance guide and the NYDFS glossary; for the requirement the program is built around, see the NYDFS risk assessment guide.
Primary sources
- 23 NYCRR 500.17(b): The NYDFS annual submission: a Certification of Material Compliance or a written Acknowledgment of non-compliance with a remediation plan, signed by the highest-ranking executive and the CISO.
- 23 NYCRR Part 500 (NYDFS Cybersecurity Regulation): The full New York cybersecurity regulation: the program and policy requirements, CISO, MFA and encryption, incident notice, and annual certification.