Annual Cybersecurity Certification - The Cybersecurity Regulation

When is the Deadline? 500.17

Under 500.17, Covered entities must certify with Part 500 by April 15.
In addition, Covered entities must by April 15, also submit to NYDFS either:

i. a Certification of Material Compliance; or

ii. an Acknowledgement of Noncompliance

What is Included in the Notice of Compliance with Part 500?

Under Section 500.17(b) of the NYCRR:

(b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by April 15th in such form set forth as Appendix A of this Title, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

What does my Company's Cybersecurity Program need?

Each Covered Entity must maintain a cybersecurity program designed to protect the Confidentiality,Integrity, and Availability of the Covered Entity's Information Systems. See 500.2

1. Develop and Implement policies and procedures for monitoring and assessing cybersecurity risks
2. Regularly test and update the effectiveness of the cybersecurity program
3. Maintain an inventory of information systems and data
4. Classify the data inventory according to its level of sensitivity
5. Develop and implement policies and procedures for incident response
6. Conduct periodic cybersecurity training for all employees
7. Conuct periodic vulnerability assessments and penetration testing
8. Use defensive infrastructure to protect from unauthorized access, use or malicious acts.

What should YOU do?

Update incident response plans to be in compliance with the latest Amendment
Determine if you are a class A company
Prepare to comply with new reporting mandates
Revise your cybersecurity program

Are you a Class A Company? 500.1(d)

A Company is defined at 500.1(d) as a Covered Entity with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates and:

over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or
over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located.

For purposes of this subdivision, when calculating the number of employees and gross annual revenue, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity. vered entity with at least $20,000,000 in gross annual