New York Cybersecurity Regulation Requires Submission of Compliance Certification or Acknowledgement of Noncompliance Next Week

On April 3, 2025, the New York State Department of Financial Services (“DFS”) issued reminders about upcoming implementation and reporting deadlines related to its cybersecurity regulations. Upcoming deadlines require affirmative steps from regulated entities to demonstrate compliance with the New York Cybersecurity Regulation, including a submission of a first-of-its-kind compliance certification or acknowledgement of noncompliance.

The New York Cybersecurity Regulation (Part 500), originally enacted in 2017 and amended most recently in 2023, requires regulated entities (e.g., entities chartered, licensed, or approved to operate in New York under banking, insurance, and financial services laws) to assess their cybersecurity posture and safeguard consumer information against unauthorized access by cybercriminals. For background on the Cybersecurity Regulation, check out our summary here.

In its April 2025 update, DFS highlighted upcoming deadlines pursuant to the Cybersecurity Regulation:

• Compliance Submissions. Covered entities are required to submit either a “Certification of Material Compliance” with the law, or an “Acknowledgement of Noncompliance” with the law’s requirements by April 15, 2025 through DFS’s online portal.

The Certification of Material Compliance must certify that a covered entity materially complied with all Part 500 regulatory requirements in calendar year 2024. The Acknowledgement of Noncompliance must identify all sections of Part 500 with which the covered entity has not complied and must be accompanied by a remediation timeline.

This requirement is more prescriptive than we typically see from cybersecurity regulations. We expect to see activity from regulators and plaintiffs in response to compliance submissions. Entities submitting noncompliance acknowledgements should be prepared for follow up regarding remediation, and entities representing compliance should be prepared for increased security in the form of Monday morning quarterbacking.

As this first-of-its-kind compliance reporting obligation rolls out, industry stakeholders will be watching how regulators, consumers, and plaintiffs respond.

• Access Management. By May 1, 2025, covered entities must implement policies and procedures related to enhanced user access, audits of user access, termination of access, and complex password requirements.
• Vulnerability Management. By May 1, 2025, covered entities must conduct automated system scans to detect and analyze vulnerabilities as required by internal risk assessments and after any material changes to company systems, and implement specific controls to protect against malicious code.
• Monitoring and Training. By May 1, 2025, certain types of covered entities must implement endpoint detection and response solutions as well as a centralized logging and security event solution.
• Enhanced MFA Requirements. By November 1, 2025, certain categories of covered entities must implement multifactor authentication for any individual accessing covered entity information systems, regardless of location, type of user, or type of information, subject to certain exceptions.

DFS has committed to releasing guidance to assist covered entities of all sizes in complying with the prescriptive Part 500 Cybersecurity Regulation. As we wait for DFS to respond to this first deadline, entities should prioritize implementation of the remaining requirements, as these technical, administrative, and audit requirements can take significant implication cost and time.

If you have questions about any of the requirements contained in this alert or whether your company is subject to the Cybersecurity Regulation, please contact your Quarles privacy attorney or:

• Meghan O'Connor: (414) 277-5423 / meghan.oconnor@quarles.com
• Kaitlyn Fydenkevez: (202) 780-2642 / kaitlyn.fydenkevez@quarles.com