Given the ongoing COVID-19 pandemic, the New York State Department of Financial Services (NYDFS) extended the deadline for covered entities to submit their certifications of compliance for calendar year 2019 under 23 NYCRR 500, or the Cybersecurity Regulation. The new deadline is June 1, 2020.
Under Section 500.17, covered entities are required to annually submit to NYDFS a written statement certifying that they were compliant with the Cybersecurity Regulation for the prior calendar year. Covered entities must maintain records supporting the certification for five years.
Covered entities that are exempt from certain sections of the Cybersecurity Regulation are required to provide NYDFS notice of their exempt statute. Those covered entities that previously filed a notice of exemption do not need to file new notices, although any change in status should be reported (e.g., if a previously exempt entity is no longer exempt).
Covered entities can submit their certification of compliance filings online via the NYDFS Cybersecurity Portal located here.