Annual Compliance Certification: A Step-by-Step Guide

Key Deadline: April 15th

The annual certification must be filed by April 15th of each year, covering compliance for the prior calendar year. Late filings can result in penalties and regulatory scrutiny.

Section 500.17 of NY DFS 23 NYCRR 500 requires covered entities to annually certify their compliance with the regulation. This guide walks you through the entire certification process, from preparation to filing.

Understanding the Certification

The annual certification is a formal attestation that your organization materially complied with the applicable requirements of 23 NYCRR 500 during the prior calendar year. The certification must be signed by the board of directors or a senior officer.

You have two options:

Certification of Compliance - You materially complied with all applicable requirements
Acknowledgment of Noncompliance - You did not fully comply, with explanation of gaps and remediation timeline

Step 1: Determine Applicable Requirements

First, identify which requirements apply to your organization:

Limited Exemption Entities (500.19)

If you qualify for limited exemption, you are only required to comply with certain sections. You still need to file a Notice of Exemption if you haven't already.

Full Compliance Entities

If you don't qualify for exemption, you must comply with all 23 sections of the regulation.

Step 2: Gather Evidence

Before certifying, gather documentation that demonstrates compliance for each applicable requirement:

Evidence Checklist

Policies & Procedures

• Cybersecurity policy (500.03)
• Incident response plan (500.16)
• Third-party policy (500.11)
• Access control policy (500.07)

Technical Controls

• MFA enrollment reports (500.12)
• Encryption status (500.15)
• Penetration test results (500.05)
• Vulnerability scan reports (500.05)

Governance

• CISO designation (500.04)
• Board reporting records (500.04)
• Risk assessment (500.09)

Training & Awareness

• Training completion records (500.14)
• Phishing test results
• Policy acknowledgments

Step 3: Conduct Internal Review

Perform a thorough review of your compliance status:

Review each applicable section of the regulation
Document evidence of compliance for each requirement
Identify any gaps or areas of noncompliance
Develop remediation plans for any identified gaps
Have your CISO or compliance officer sign off on the review

Step 4: Board/Senior Officer Review

The certification must be signed by either:

The board of directors (or appropriate committee)
A senior officer responsible for the cybersecurity program

The signer is attesting that, to the best of their knowledge, the organization materially complied with the requirements. They should review the evidence before signing.

Step 5: File the Certification

Submit your certification through the DFS portal:

Log in to the DFS Cybersecurity Portal
Select your entity and the certification year
Complete the certification form
Upload any required documentation
Submit by April 15th

What If You Can't Certify Compliance?

If you identify areas of noncompliance, you can file an Acknowledgment of Noncompliance. This requires:

• Identification of the areas of noncompliance
• A remediation plan with specific timelines
• Explanation of any compensating controls in place

Step 6: Maintain Records

Keep all supporting documentation for at least 5 years. This includes:

All evidence gathered during the review process
Internal review documentation
Board/senior officer approval records
Copy of the filed certification

Certification Timeline

Jan

Begin Evidence Gathering

Start collecting documentation for the prior year

Feb

Internal Review

Complete compliance review and identify any gaps

Mar

Board Review

Present findings to board/senior officer for approval

Apr 15

Filing Deadline

Submit certification through DFS portal