The NYDFS 500 Annual Certification: What to Know Before April 15
Every April 15, firms regulated by the New York Department of Financial Services must file an annual certification under 23 NYCRR 500. April 2026 is the first filing that covers every amended requirement. If you haven't started preparing, you're already behind.
Two filing options (not one)
Section 500.17(b) gives you two choices. Most people only know about the first one.
- Certification of Material Compliance. You are certifying that your firm materially complied with every applicable section of Part 500 during the prior calendar year. This is what you want to file. It means you did the work, you have the evidence, and you're putting your name on it.
- Acknowledgment of Noncompliance. You are disclosing that your firm did not materially comply with one or more sections. You identify the specific areas of noncompliance, describe your remediation plans, and provide a timeline for getting into compliance.
Filing an Acknowledgment of Noncompliance is not the end of the world. It is far better than filing a false Certification of Material Compliance, and DFS has said as much. But it does create an enforcement record. It tells the regulator exactly where to look if they decide to examine your firm, and it starts a clock on your remediation timeline that you will be held to.
Who signs?
Both the CEO (or equivalent senior officer) and the CISO must sign the annual certification. You cannot delegate this. The regulation requires both signatures because it wants personal accountability from the person running the business and the person running the cybersecurity program.
If your CISO is outsourced, that individual still co-signs. If your CEO hasn't been involved in cybersecurity decisions all year, April is not the time for a crash course. The signature carries personal liability. Both signers should be able to explain, under examination, why they believe each section of Part 500 was satisfied.
Why April 2026 is different
The November 2023 amendments to 23 NYCRR 500 rolled out in phases. Some requirements took effect in 2024. Others didn't kick in until late 2025. April 2026 is the first annual certification that covers all of the amended requirements, including:
- Enhanced governance requirements (Section 500.4)
- Updated access privilege controls (Section 500.7)
- Asset inventory and management (Section 500.13)
- Encryption of nonpublic information in transit and at rest (Section 500.15)
- Incident response and business continuity (Section 500.16)
If you certified in April 2025, you only had to cover the first wave of amended sections. This year, there is no phase-in buffer. Every section is in play.
Five-year documentation retention
Section 500.17(b) requires you to keep all records, schedules, and data supporting your certification for at least five years. Your 2026 filing and its supporting evidence must be retrievable through at least 2031.
"Supporting evidence" is not a single binder. It includes penetration test reports, access reviews, training records, board meeting minutes, risk assessments, and policy version history, among other things. If DFS asks to see the evidence behind your certification two years from now, you need to produce it.
Small firms: the Notice of Exemption
If your firm qualifies for a limited exemption under Section 500.19 (fewer than 20 employees, less than $7.5 million in gross annual revenue, or less than $15 million in total year-end assets), you file a Notice of Exemption, not a Certification of Material Compliance. The exemption is not automatic. You must affirmatively file it, and you must re-evaluate your eligibility annually. Growing past the thresholds mid-year triggers full compliance obligations.
Practical steps: how to prepare
1. Run a gap assessment in Q1
Walk through every section of Part 500, line by line. For each requirement, check whether you have a documented policy, whether that policy is actually implemented, and whether you can prove it. Be honest. The worst outcome is certifying compliance and then failing an exam.
2. Map every section to evidence
Create a crosswalk that ties each Part 500 section to specific artifacts: your penetration test report for Section 500.5, your access privilege review for Section 500.7, your training records for Section 500.14. If a section maps to nothing, you have a gap.
3. Determine which filing option fits
If your gap assessment reveals material deficiencies that cannot be remediated before April 15, file the Acknowledgment of Noncompliance. Be specific about what you're missing and realistic about your remediation timeline. DFS respects transparency. They do not respect false certifications.
4. Brief your CEO and CISO together
Both signers need to review the evidence crosswalk, understand the gaps (if any), and agree on the filing option. This is not a rubber stamp. Schedule a meeting. Walk through the sections. Make sure both signers can defend their decision.
5. File and archive
Submit through the DFS portal by April 15. Then archive the complete evidence package, the filing confirmation, and any supporting correspondence. Set a calendar reminder for five years out.
Do not treat this as a formality
The annual certification is a personal attestation, signed by your CEO and CISO, that your firm met every requirement of 23 NYCRR 500 for the prior year. April 2026 is the first filing with no phase-in cushion. Know your gaps. Map your evidence. Pick the right filing option before the deadline arrives.
Need help organizing the evidence? See how BlackSheep maps every Part 500 section to auditable proof.