Listen to this post

Keypoint: Section 500.17(b) of 23 NYCRR Part 500 (“Part 500”) requires all non-exempt Covered Entities regulated by the New York Department of Financial Services to submit their annual notices of compliance by April 15th.

Businesses that are subject to the NYDFS Cybersecurity Regulations have four weeks left to submit their annual notices of compliance or acknowledge their noncompliance. When the regulations were amended in 2023, several of the new requirements were phased in over two years. Businesses cannot simply re-use their notice from last year, without confirming that the new obligations were met and preparing for the requirements going into effect in 2025.  

As of November 2024, Covered Entities must submit either a:

  • Certification of Material Compliance: Covered Entities that materially complied with all applicable sections of Part 500 during the previous calendar year must submit a Certification of Material Compliance; or
  • Acknowledgment of Noncompliance: Covered Entities that are unable to certify material compliance must file an Acknowledgment of Noncompliance, detailing the non-compliant sections, the extent of noncompliance, and includes a remediation timeline or confirmation that the remediation was completed.

Covered Entities must submit these notices signed by both the highest-ranking executive and the Chief Information Security Officer (CISO), or the senior officer responsible for the cybersecurity program if no CISO exists. They must also retain all supporting records, schedules, and documentation for 5 years for examination by the department upon request.

Recently Effective Amendments to Part 500

As a reminder, several amendments to Part 500 went into effect in April and November of 2024, with more going into effect in May and November of 2025. These amendments impose additional obligations on Covered Entities for 2024 and 2025, including:

  • CISOs must submit annual cybersecurity reports to Covered Entities’ governing bodies
  • Annual penetration testing
  • Automated vulnerability scans, with manual review of systems not covered by automation
  • An audit trail designed to maintain records for at least the preceding five years
  • Written procedures and standards for –
    • Secure development of in-house applications, and
    • Evaluation of externally developed applications
  • Use of multi-factor authentication for remote access and privileged accounts
  • Implementation of asset management and data retention procedures
  • Cybersecurity awareness training for all personnel, to include education on social engineering threats, which is delivered annually if not more often  
  • Implementation of risk-based policies, procedures, and controls to monitor authorized users and detect unauthorized access or detect the use of nonpublic information
  • Implementation of endpoint detection and response (EDR) solutions to monitor anomalous activity
  • Implementation of a written data encryption policy for data in transit and at rest.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Read more about Erik DulleaErik's Linkedin Profile
Show more Show less
Photo of Matti Mortimore Matti Mortimore

Matti offers practical solutions to corporate matters.

After earning a graduate degree in philosophy, Matti wanted a career where he could offer practical help: as much as he enjoyed his original field, he wanted the opportunity to give clients clear solutions to their

Matti offers practical solutions to corporate matters.

After earning a graduate degree in philosophy, Matti wanted a career where he could offer practical help: as much as he enjoyed his original field, he wanted the opportunity to give clients clear solutions to their business problems. Matti was also drawn to the people-driven nature of law and business.

Matti’s research had focused heavily on economics, and his interest in markets translated into an enthusiasm for corporate, transactional, and securities matters. He is passionate about the ways businesses generate social wealth, and he loves the opportunity to help businesspeople grow their companies and contribute to their communities.

As a summer associate with Husch Blackwell, Matti assisted a variety of teams, including healthcare, real estate, litigation, corporate, and the newly established psychedelics practice group. He joined the firm as a full associate in 2023 and currently supports clients throughout the corporate transaction process.

At his core, Matti believes in truly understanding each client and their goals. He prioritizes genuine relationships built on trust and consideration, and he strives for complete client satisfaction. Matti embodies responsibility, consistently delivers on his promises, and is committed to serving clients as a trusted partner.

Read more about Matti MortimoreMatti's Linkedin Profile
Show more Show less
Related Posts
image
New York Amends its Data Breach Notification Law
February 25, 2025
 New York Legislature Passes Health Information Privacy Bill
January 27, 2025
 NYDFS Warns Against the Threat of Accidentally Hiring North Korean Remote IT Workers
November 4, 2024