Skip to Content

Cybersecurity Filings

Key Questions About the Recent Cyber Regulation Notice

Why did I receive this notice?

All regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018.  Our records indicate that to date you have not made such filings under the regulation. Please be aware that if you hold more than one license, then you need to file a separate Certification of Compliance for each license you hold.

What if I am late with my filing?

All Covered Entities that have failed to submit the Certification and that are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible.  The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously.  The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.

What if I filed for an exemption from the cybersecurity regulations?

People who received the reminder are required to file the Certificate of Compliance even if you filed for an exemption under 23 NYCRR Part 500.19. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for exempted entities. Covered Entities are required to file a Certificate of Compliance to confirm that they are in compliance with those provisions of the regulation that apply to the Covered Entity.

I have a receipt showing I filed already?

Please look at the receipt.  If the receipt number you received begins with an “E” then it is a receipt for filing a Notice of Exemption and not a receipt for filing the required Certificate of Compliance.  Your exemption does not excuse the filing noticed below.  The Certification of Compliance is to cover the period as of December 31, 2017 for all requirements of the cybersecurity regulation in force by that date.  If the receipt number starts with a “C” email with your name, license number and the receipt number from your cybersecurity Certificate of Compliance filing.

When will I receive a reply to my email?

DFS will reply to emails received in the above email box within 30 days.

Does this apply to me?

Section 500.01 (c) defines a Covered Entity for purposes of the Regulation as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  You will need to determine the applicability of the regulation to your particular circumstances.

How do I file a Certification of Compliance?

Certifications of Compliance should be filed electronically via the DFS Web Portal Please click the big orange box on the right hand corner that says “Cybersecurity Filing”. The Covered Entity will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.

Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)


Additional Resources

Updated 03/05/2018

Department of Financial Services


DFS Facebook page

Follow NYDFS on Twitter


Sign up online or download and mail in your application.