Compliance Briefing — NYDFS Cybersecurity certification due for 2019

Executive briefing: For the 2019 reporting year, NYDFS required Covered Entities to submit their annual Cybersecurity Regulation certification by 2 March 2020 (moved from March 1 because it fell on a Sunday). The attestation obligates a senior officer or board to confirm compliance with 23 NYCRR Part 500 controls.

Why it matters

• Leadership accountability: executive sign-off raises the cost of understating deficiencies in cyber programs.
• Regulatory posture: missing certifications are treated as violations, inviting exams and potential penalties.
• Audit readiness: substantiating the certification requires evidence across access control, monitoring, and incident response.

Operator actions

1. Confirm submission: Verify 2019 certifications were filed in the DFS portal with board or senior officer approval.
2. Evidence pack: Retain control testing, risk assessment, and penetration test results that support the attestation.
3. Gap remediation: Track any Part 500 exceptions or timelines committed in the certification and assign owners.
4. Calendar 2020: Schedule quarterly reviews so 2020 certification workpapers are ready ahead of next March's deadline.