Upcoming compliance certification
Every year by April 15, financial entities subject to the New York Department of Financial Services (NYDFS) oversight (covered entities) are required to certify their compliance with the NYDFS’ cybersecurity regulations, 23 NYCRR Part 500 (Part 500). This year’s deadline will be the first time covered entities must certify compliance with all of the amendments to Part 500 that were phased in from November 2023 through November 2025 (Part 500 amendments).
This series will highlight key aspects of Part 500’s amendments, as well as recent NYDFS guidance, and provide insight into how NYDFS may assess compliance with Part 500.
Part 1 addresses asset inventories and risk assessment amendments, Part 2 details updated requirements for multifactor authentication and Part 3 explores the emerging cybersecurity issues that NYDFS has identified as key priority areas.
Certification requirements
Certifications of compliance are affirmative representations by a covered entity’s chief information security officer (CISO) or senior most executive responsible for cybersecurity, attesting that the covered entity is in compliance with Part 500, and that the certification has been made upon the certifying individual’s review of the documents and controls upon which the certification is based. Certifications must be accurate, as making false statements to NYDFS itself is actionable, in addition to any substantive violations of Part 500. Additionally, the certifying individual could be held personally liable for certifying false statements to NYDFS. NYDFS has made clear through examinations, consent orders and explicit guidance that it expects certifications to be accurate, supportable and grounded in documented controls.
With the Part 500 amendments now in effect, NYDFS provides covered entities with two options: Submit a certification of material compliance, or submit an acknowledgement of noncompliance. An acknowledgement of noncompliance must contain:
- An acknowledgment that the covered entity did not materially comply with Part 500.
- An identification of all sections of Part 500 that the entity is not in material compliance with.
- A description of the nature and extent of noncompliance.
- A remediation timeline or confirmation that remediation has been completed for the areas of noncompliance.
Part 500.13: Asset inventories
One of the most significant developments under the amended Section 500.13, effective November 2025, explicitly requires covered entities to maintain an inventory of all assets, not just those that are material to the covered entity or contain nonpublic information (NPI). This reflects NYDFS’ position that institutions cannot protect systems, devices and data they do not know they have. Numerous other Part 500 requirements rely on functional asset inventories, including risk assessments, access controls, vulnerability management and incident response planning. Deficiencies in asset inventories can cascade into compliance gaps with these provisions of Part 500 as well.
An asset management policy should cover the entire asset life cycle – from onboarding and classification to tracking, support and eventual deprecation. The policy should also document a cadence for reviewing, updating and validating the asset inventory. The asset inventory itself should identify owner, location and recovery time objectives for each asset.
The Part 500 amendments make clear that covered entities cannot treat asset inventories as a static list of systems, devices and data; the inventory is meant to be a living record.
Part 500.9: Risk assessments
Risk assessments have always been central to Part 500, but the amendments reinforce their role as the driver of the cybersecurity program and the basis on which a program is evaluated. NYDFS now requires covered entities to conduct risk assessments at least annually and whenever material business or technology changes occur, which could include geopolitical events.
This reflects NYDFS’ position that a risk assessment cannot be static, generic or disconnected from operational reality. A risk assessment serves as the evidentiary bridge between hypothetical risk and implemented controls. A covered entity that cannot demonstrate how its cybersecurity measures are appropriate in the context of assessed risks may face questions about the sufficiency of its overall compliance and certification with Part 500.
Looking ahead
For covered entities, the annual certification should be approached as a governance exercise, not a formality. Individuals responsible for preparing for certifications should take care to review the institution’s compliance posture holistically, building on the asset inventory and risk assessment controls as the key components underpinning compliance.
In our next post, we turn to one of the most heavily scrutinized areas of the amended Part 500: multifactor authentication.
