As we previously reported, in 2023 the New York State Department of Financial Services (NYDFS) amended its cybersecurity regulation, 23 NYCRR 500 (or Part 500). As of November 1, 2024, Class A Companies and Covered Entities were required to comply with numerous Part 500 compliance obligations outlined here. 

April 15, 2025 Compliance Certification Deadline

Covered Entities have been required to submit annual compliance with Part 500 since the regulation's adoption; however, since 2024, Covered Entities now have the option to submit either a Certification of Material Compliance (certifying they materially complied with the regulation requirements that applied to them in the prior year) or an Acknowledgement of Noncompliance (identifying all sections of the regulation with which they have not complied and providing a remediation timeline).

The deadline for Covered Entities to submit annual compliance notifications for the 2024 calendar year is April 15, 2025. Submissions can be submitted through the NYDFS Portal. Covered Entities that qualify for full exemptions from Part 500 do not have to submit annual compliance notifications. For more information on the April 15 compliance deadline, guidance on which form to file, and step-by-step instructions, see NYDFS's Submit a Compliance Filing section in the Cybersecurity Resource Center or contact your Katten attorney.

May 1, 2025 Compliance Obligations

On May 1, 2025, Covered Entities are required to meet additional requirements under Part 500, including:

1. Access Privileges and Management

• Implement enhanced requirements regarding limiting user access privileges, including privileged account access.
• Review access privileges and remove or disable accounts and access that are no longer necessary.
• Disable or securely configure all protocols that permit remote control of devices.
• Promptly terminate access following personnel departures.
• Implement a reasonable written password policy to the extent passwords are used. 

Covered Entities and Class A Companies must also address the below items:

1. Vulnerability Management: conduct automated scans of information systems, and a manual review of systems not covered by such scans” to discover, analyze, and report vulnerabilities at a frequency determined by their risk assessment and promptly after any material system changes.
2. Mailicious Code: Implement controls to protect against malicious code.

Class A Companies must further update their information security programs to include:

1. Monitoring and Training: Implement (1) endpoint detection and response solution to monitor anomalous activity and (2) centralized logging and security event alert solution. CISOs can approve reasonably equivalent or more secure compensating controls, but approval must be in writing.