← Back to Resources

NY DFS Compliance Calendar

Key dates, deadlines, and recurring requirements for NY DFS 23 NYCRR 500 compliance. Never miss an important deadline.

Critical Deadlines

April 15Section 500.17

Annual Certification Filing

Submit annual certification of compliance (or acknowledgment of noncompliance) to NY DFS for the prior calendar year.

Within 72 HoursSection 500.17

Cybersecurity Event Notification

Notify NY DFS Superintendent within 72 hours of determining that a reportable cybersecurity event has occurred.

Recurring Requirements

AnnuallySection 500.05Limited Exempt

Penetration Testing

Conduct annual penetration testing from a qualified internal or external party.

Bi-AnnuallySection 500.05Limited Exempt

Vulnerability Assessments

Perform vulnerability assessments at least every six months.

AnnuallySection 500.09

Risk Assessment Review

Review and update your risk assessment at least annually, or whenever material changes occur.

AnnuallySection 500.14

Security Awareness Training

Provide cybersecurity awareness training for all personnel. While frequency isn't specified, annual training is industry standard.

AnnuallySection 500.04Limited Exempt

CISO Board Reporting

CISO must report to the board or senior governing body at least annually on the cybersecurity program.

AnnuallySection 500.16

Incident Response Plan Testing

Test your incident response and business continuity plans at least annually.

PeriodicallySection 500.07

Access Privilege Review

Periodically review access privileges and remove access that is no longer necessary.

As NeededSection 500.03

Policy Updates

Review and update cybersecurity policies when material changes occur to your environment or operations.

Suggested Quarterly Schedule

Use this quarterly breakdown to spread your compliance activities throughout the year. Adjust based on your organization's specific needs and fiscal calendar.

Q1 (Jan-Mar)

  • Prepare annual certification

    By April 15

  • Review Q4 security metrics

    January

  • Update risk assessment if needed

    March

Q2 (Apr-Jun)

  • File annual certification

    April 15

  • Bi-annual vulnerability assessment #1

    June

  • Review training completion rates

    May

Q3 (Jul-Sep)

  • Annual penetration test planning

    July

  • Conduct penetration test

    August-September

  • Third-party vendor reviews

    September

Q4 (Oct-Dec)

  • Bi-annual vulnerability assessment #2

    December

  • Annual security awareness training

    November

  • CISO annual board report

    December

  • Begin certification prep for next year

    December

Incident Notification Timeline

When a cybersecurity event occurs, you must notify NY DFS according to this timeline:

!

Immediately

Activate incident response plan, begin containment, and start investigation.

24h

Within 24 Hours

Determine if the event is "reportable" under Section 500.17(a).

72h

Within 72 Hours

CRITICAL: Notify NY DFS Superintendent if the event is reportable. Submit via the DFS portal.

90d

Within 90 Days

Submit follow-up report with investigation findings, root cause, and remediation steps.

Never Miss a Compliance Deadline

Buffalo Sentinel automatically tracks all your compliance deadlines and sends reminders so you're always prepared.

Start Free TrialView Compliance Checklist