The New York State Department of Financial Services (NYDFS) recently amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500), effective Nov. 1, 2023, which we wrote about here. Covered entities must still certify compliance with Part 500 by April 15 each year – that’s not new. What is new, however, is that covered entities now must submit to NYDFS either a Certification of Material Compliance or an Acknowledgment of Noncompliance for the 2023 calendar year by April 15, 2024.

• Covered entities now are only required to certify “material” compliance with Part 500 during the prior calendar year.
  • This change now allows a covered entity to certify even if it identifies minor areas of potential noncompliance.
  • In its response to public comments, NYDFS stated that the “materiality” determination depends on many factors, including both the severity of compliance failures and the duration of those failures. Additionally, multiple violations that alone would be immaterial could, in the aggregate, become material.
• Certification of Material Compliance must be based on data and documentation sufficient to demonstrate material compliance.
  • Under the revised regulation, the certification must be “based upon data and documentation sufficient to accurately determine and demonstrate such material compliance including, to the extent necessary, documentation of officers, employees, representatives, outside vendors and other individuals or entities, as well as other documentation whether in the form of reports, certifications, schedules or otherwise.”
  • The supporting data and documentation do not need to be submitted with the certification; in fact, NYDFS has stated in its FAQs that such documentation should not be provided along with the certification. However, the documentation must be kept for five years and provided to NYDFS upon request.
    • The information a covered entity must keep includes, but is not limited to, “the identification of all areas, systems, and processes that require or required material improvement, updating or redesign, remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.”
• The new regulation provides an option for covered entities to submit an Acknowledgment of Noncompliance instead of a Certification of Material Compliance.
  • Under the prior version of Part 500, a covered entity could not certify compliance for the prior year if it discovered any area of noncompliance, regardless of how minor the deficiency or how quickly it was remediated.
  • Now a covered entity can submit an Acknowledgment of Noncompliance, which identifies all sections of Part 500 with which the entity has not materially complied, describes the nature and extent of such noncompliance, and provides a remediation timeline or confirmation that remediation has been completed.
• The certification or acknowledgment must be signed by the highest-ranking executive and the CISO.
  • The updated Part 500 now requires the certification or acknowledgment to be signed by both the CISO (or senior officer responsible for the covered entity’s cybersecurity program) and the covered entity’s highest-ranking executive.
  • This new requirement reflects the importance NYDFS places on the CISO and the highest-ranking executive having “active involvement with cybersecurity compliance.”

What you can do now to make sure you are ready for April 15

• Identify the Highest-Ranking Executive for the Covered Entity: Determining the appropriate person to sign as the highest-ranking executive isn’t always straightforward given the complexities of some covered entities’ organizational structures.
  • In its response to public comments, NYDFS stated that “the CEO or other highest-ranking executive, who is the person in charge of the business” is the appropriate leader to sign along with the CISO.
• Develop a Strategy to Address Any Areas of Noncompliance: The new Acknowledgment of Noncompliance requires not only an explanation of the areas of noncompliance but also either a confirmation that the failures have been remediated or a timeline to remediate the failures.
  • If an area of noncompliance has not been remediated at the time the acknowledgment is submitted, the acknowledgment form will request the estimated date on which the covered entity expects the remediation to be completed. However, the portal form notes that NYDFS may follow up with the covered entity to obtain a more detailed remediation timeline. Be ready by having a detailed plan already prepared that describes the key implementation milestones and anticipated dates of completion.
• Get Your Documentation Ducks in a Row: The revised regulation requires the certification to be based on “data and documentation” as described above.
  • Allow enough time before April 15 for the CISO and highest-ranking executive to review the supporting data and documentation. Signing the certification certifies not only that the covered entity was in material compliance with Part 500 but also that the CISO and highest-ranking executive have reviewed the data and documentation supporting such certification.
• Review the Step-by-Step Guides for Submitting the Certification or Acknowledgment: Know what to expect and avoid last-minute surprises by reviewing the step-by-step submission guides prepared by NYDFS for the certification or acknowledgment, as applicable.

[View source.]