NYDFS Cybersecurity certification due for 2019

If you are a financial services company operating in New York, March 1, 2020, marked an important deadline: the first annual certification under NYDFS Part 500. Your board or senior officer had to certify that your organization complied with the cybersecurity regulation. This was not a checkbox exercise—it was a personal attestation with potential liability implications.

What the certification actually requires

The annual certification is not just confirming you have a security program. It is a specific attestation that your organization has complied with the cybersecurity requirements throughout the previous calendar year. That means your controls were in place and operating effectively, not just documented in policies that nobody follows.

The certification must be signed by the board of directors or a senior officer. This elevates cybersecurity from a technical concern to a governance responsibility. The person signing is personally attesting to compliance—they cannot plead ignorance if problems surface later.

You need to maintain supporting documentation for at least five years. When regulators review your certification, they'll expect evidence that backs up your attestation. Policies, audit reports, incident logs, penetration test results, training records—all the artifacts that demonstrate your program actually functions.

The compliance reality check

Many organizations discovered during certification prep that their programs had gaps. Part 500's requirements are specific: risk assessments, penetration testing, vulnerability scanning, encryption, access controls, third-party service provider oversight, incident response plans. Having a policy that mentions these things is not enough—you need to be doing them.

The risk assessment requirement trips up organizations that treat it as a one-time exercise. Part 500 expects ongoing risk assessment that informs security program priorities. If your last risk assessment was two years ago and does not reflect your current environment, you have got a problem.

Third-party service provider oversight is another common gap. You need to assess the cybersecurity practices of vendors who access your systems or handle your data. Many organizations have informal vendor management that does not meet Part 500's requirements for policies, due diligence, and contractual protections.

When certification is not possible

What if you cannot truthfully certify compliance? Part 500 provides for acknowledgment of non-compliance—a notification to DFS identifying areas where you do not meet requirements, with remediation plans and timelines. This is better than false certification, but it invites regulatory scrutiny.

The practical advice: do not wait until certification deadline to discover non-compliance. Conduct internal assessments well in advance. Identify gaps early. Remediate what you can before certification date, and document realistic remediation plans for what you cannot.

False certification creates serious risk. If you certify compliance and later events reveal you were not compliant, you have exposed your signing officer to personal liability and your organization to enhanced enforcement. The regulators view false certification as a separate violation beyond the underlying compliance failure.

Building certification readiness

Certification readiness starts with understanding each Part 500 requirement and how your organization addresses it. Create a control mapping that shows which policies, procedures, and tools satisfy each requirement. Test that your documented controls actually work—do not assume.

Penetration testing and vulnerability assessments provide evidence that your security controls are effective. If you have not conducted these recently, do so before certifying. The results may reveal problems, but problems discovered internally are easier to address than problems discovered by regulators.

Third-party assessments can provide independent validation. While not required for certification, having external validation strengthens your position if questions arise later. Independent assessors see things internal teams miss.

The governance dimension

The certification requirement is fundamentally about governance. By requiring board or senior officer signature, Part 500 ensures that cybersecurity is a leadership responsibility. The days of treating security as something the IT department handles independently are over.

Boards need regular briefings on cybersecurity posture. They need to understand the risk assessment process and results. They need visibility into incidents, audit findings, and remediation progress. The signing officer needs confidence that the certification they are signing is accurate.

For CISOs, this creates both opportunity and responsibility. You are the source of information that executives rely on for certification decisions. Your reporting must be accurate, complete, and understandable by non-technical leadership. Overly optimistic assessments that lead to false certifications will eventually create serious problems.

Ongoing compliance vs. annual certification

Certification is annual, but compliance is continuous. You cannot be non-compliant for eleven months and scramble to certify in month twelve. The certification attests to compliance throughout the preceding year. This requires ongoing program operation, not just annual audits.

Continuous monitoring, regular assessments, and prompt remediation of identified issues maintain compliance between certifications. Documentation practices need to capture evidence throughout the year, not just at certification time. If you discover problems, address them promptly and document the remediation.

Practical certification checklist

• Review Part 500 requirements and map each to your current controls.
• Conduct penetration testing and vulnerability assessments if not done recently.
• Verify third-party service provider oversight meets requirements.
• Ensure risk assessment is current and reflects your actual environment.
• Review incident response procedures and test them.
• Gather documentation supporting compliance throughout the preceding year.
• Brief the signing officer on compliance status and any areas of concern.
• File certification by the deadline with accurate attestation.

NYDFS Part 500 certification sets a model that other regulators are watching. Financial services organizations in New York are building governance and compliance capabilities that may become standard expectations across the industry. Organizations that treat certification seriously build stronger security programs; those that treat it as paperwork create liability without corresponding protection.

More on this topic

Further reading from our research library.

Compliance · Credibility 94/100 · October 25, 2022

ISO/IEC 27001:2022 standard published

On 25 October 2022 ISO published ISO/IEC 27001:2022, updating the information security management system standard with restructured controls aligned to ISO/IEC 27002:2022.

Compliance · Credibility 88/100 · November 18, 2022

PCAOB QC 1000 Proposal — Audit Firm Quality Control Overhaul

The PCAOB’s proposed QC 1000 standard would require audit firms to build risk-based quality control systems with leadership certification, annual reporting, independence monitoring, and data-driven remediation across…

Compliance · Credibility 87/100 · December 16, 2024

PCAOB QC 1000

PCAOB's new quality control standard QC 1000 is coming. Audit firms need to implement quality management systems that go beyond the old quality control requirements. For public company audit committees, this means asking…

Compliance · Credibility 92/100 · March 26, 2026

PCI DSS 4.0.2 March 2026 Deadline — Payment Card Industry Mandates Multi-Factor Authentication for All Admin Access and Cardholder Data Environments

The Payment Card Industry Security Standards Council's March 31, 2026 deadline for PCI DSS 4.0.2 compliance requires multi-factor authentication for all administrative access to cardholder data environments, elimination…

Compliance · Credibility 92/100 · April 30, 2026

HHS Finalizes HIPAA Security Rule Update — Cloud Service Providers Face Direct Enforcement and Mandatory Encryption Requirements

The Department of Health and Human Services finalized the first major HIPAA Security Rule update since 2013, establishing direct enforcement authority over cloud service providers processing protected health information…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 2, 2020

Coverage pillar

Compliance

Source credibility

73/100 — medium confidence

Topics

NYDFS Part 500 · certification · governance

Sources cited

3 sources (dfs.ny.gov, cvedetails.com, iso.org)

Reading time

5 min

Source material

1. NYDFS Cybersecurity Regulation Certification of Compliance
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization