NY DFS Cybersecurity Certification: A Guide for Busy Leaders

The first quarter of the new year is always demanding for financial service organizations. Business leaders are navigating tax season, audits, reporting deadlines, and constant operational pressures. For those regulated by the New York Department of Financial Services (NY DFS), there’s another important item on the calendar: the 2026 NY DFS Cybersecurity Certification, due April 15, 2026. With new regulatory requirements taking effect throughout 2025, understanding what this certification involves has become even more important.

This guide is designed to make the process clearer. It explains:

• What the certification is
• What companies need to file
• Where to file it
• What is new to the certification
• What leaders are attesting to when they sign
• How Governance, Risk, and Compliance (GRC)practices can make preparing for filing smoother, more organized, and far less stressful

Disclaimer: This article is provided for informational purposes only and does not constitute legal, compliance, or regulatory advice. We are not lawyers. Organizations should consult qualified legal counsel or compliance professionals regarding their specific obligations under NY DFS regulations.

What is NY DFS?

NY DFS is New York’s financial regulator, overseeing banks, insurance companies, mortgage lenders, fintechs, and many other financial services organizations operating in or licensed by New York.

To address rising cyber threats, NYDFS created 23 NYCRR Part500, a cybersecurity regulation that sets minimum security expectations for regulated organizations.

Why this matters to non‑financial businesses:
Even if your company is not directly regulated, you may be impacted if you provide IT or cloud services to a regulated entity (for example, as an MSP, SaaS provider, or vendor with system access).

What Is the NY DFS Cybersecurity Certification?

The NY DFS Cybersecurity Certification is an annual filing, required by NY DFS, where a regulated organization confirms that it followed all the NY DFS cybersecurity regulations during the previous year. Covered entities must submit this filing by April 15 each year.

The certification is not a technical test or audit submission. Instead, it’s a formal, legally binding attestation signed by senior leadership (typically a CEO, CIO, or CISO).

By signing, leadership is affirming that the company maintained required cybersecurity practices like risk assessments, policies, controls, and oversight throughout the year.

Who Needs to File by April 15, 2026

If you operate in or serve in the financial sector in any regulated way, and you are licensed or supervised by NYDFS, then you almost certainly have to file.

NYDFS uses a broad phrase “Covered Entity” to describe who must comply and file with this cybersecurity certification. A Covered Entity in this case is any organization operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York’s:

• Banking Law
• Insurance Law
• Financial Services Law

Where you File it

Covered Entities submit the NYDFS Annual Cybersecurity Certification through the New York Department of Financial Services’ secure online filing portal, known as the NYDFS Secure Portal.

23 NYCRR Part 500 Changes:

NYDFS significantly amended Part 500 in November 2023, launching the most sweeping cybersecurity updates since the regulation was first introduced in 2017.

The regulator made it clear that:

• Cyberattacks (especially ransomware) are more frequent and more damaging
• Basic security controls are no longer enough
• Cybersecurity is now considered a board level business risk, not just an IT issue ‑level business risk, not just an IT issue

These changes rolled out in phases between late 2023 and2025, fundamentally changing expectations through 2026.

Key NYDFS Changes (2024–2026)

Faster and More Detailed Incident Reporting

NYDFS tightened breach reporting rules:

• Cybersecurity incidents must be reported within 72 hours
• Ransomware payments must be reported within 24 hours
• A written explanation is required within 30 days if a ransom is paid
• Incidents at vendors or service providers can also trigger reporting obligations for the regulated company.

Real Accountability at the Top

NYDFS now explicitly requires:

• Boards and senior executives to understand cybersecurity risks
• Formal oversight of security programs
• Annual certification of compliance or an admission of non‑compliance

This means cybersecurity failures can no longer be blamed solely on IT teams. Executives must prove they are paying attention, not just signing paperwork.

Stronger “Baseline” Security Expectations

By 2024–2025, NYDFS moved from “flexible guidance” to specific required controls, including, but not limited to:

• Multi‑factor authentication (MFA)
  • Required for all individuals accessing the organization’s information systems
• Vulnerability scanning and patching
• Access controls and privileged account management
• Disable or securely configure remote-control protocols‑control protocols
• Promptly terminate accounts when employees depart
• Maintain a written password policy that meets modern standards
• Logging, monitoring, and incident response planning

In 2025, NYDFS issued formal guidance emphasizing that:

• Companies cannot only outsource cybersecurity responsibility. “Trusting your vendor” is not enough; you must be able to prove oversight.
• Vendors, MSPs, cloud providers, and AI tools are now treated as core risk factors
• Regulators expect contracts, due diligence, and ongoing oversight of service providers

5. Vulnerability Management Enhancements

• Perform automated vulnerability scans
• Conduct manual reviews for systems not covered by automated scanning

6. System Monitoring & Protection

• Implement risk-based controls to protect against malicious code
• Monitor and filter web and email traffic
• Put controls in place to block malware and potentially harmful content

7. Asset Inventory Program

• Organizations must maintain written policies and procedures for a complete, accurate asset inventory
• Inventory must track 
  • Ownership
  • Classification/sensitivity
  • Location
  • Support/retirement dates
  • Recovery time objectives

• Policies must define how often the inventory is updated and validated

Who Can Sign the Certification and Why That Matters

NYDFS is very specific about who is allowed to sign the Annual Certification of Compliance. The agency requires that it be signed by senior leadership this can be a CEO, CIO, CISO, or anyone of similar position.

Why does this matter?
Signing inaccurately can lead to enforcement actions, investigations, fines, and reputational damage. NYDFS has said repeatedly that it expects leaders to take this certification seriously, and penalties show they mean it.

What Leaders Are Actually Attesting To

• That the organization has completed a cybersecurity risk assessment
• That required cybersecurity policies exist and are followed
• That controls like access management, MFA, logging, and monitoring are in place
• That vendors and third parties are reviewed for cybersecurity risk
• That there is an incident response plan
• That employees are trained on security basics

Common Gaps Organizations Discover While Preparing

As leaders begin gathering information for the NYDFS cybersecurity certification, they often uncover gaps they didn’t realize existed. Most issues aren’t technical failures; they’re breakdowns in documentation, ownership, and process.

Common problems include:

• Outdated or incomplete policies
• Evidence scattered across shared drives, email threads, or personal folders
• Controls that exist but haven’t been tested or monitored consistently
• No clear owner for key cybersecurity tasks

These gaps typically show up when teams start preparing for certification, and they can slow everything down. This is exactly where a GRC function can make a major difference. A GRC team brings structure, centralized documentation, and clear accountability, helping organizations close these gaps early instead of discovering them under deadline pressure.

How a GRC Framework Helps Organizations Prepare

GRC Helps:

• Repeatable processes instead of one-off emergencies‑off emergencies
• Clear ownership of policies, controls, and documentation
• Centralized evidence, not scattered across email and shared drives
• Consistent testing and monitoring of controls
• Structured workflows that reduce deadline stress
• Better alignment between IT, compliance, risk, and leadership
• Higher executive confidence when it’s time to sign the certification

How GRC Support or a GRC Partner Fits In:

• Gather and organize evidence
• Update or create cybersecurity policies
• Standardize vendor management practices‑management practices
• Provide templates and frameworks regulators expect
• Reduce uncertainty before the April 15 deadline

A GRC team is built to take this pressure off your plate. They help organizations gather, create, and organize the evidence NYDFS expects and also update cybersecurity policies, and bring structure to processes.

While the NYDFS cybersecurity certification deadline brings the pressure into focus, the real value of GRC happens long before April 15. A year‑round GRC function keeps policies updated, centralizes documentation, assigns clear ownership, and ensures controls are tested and monitored consistently. For many organizations, this ongoing support is what prevents last‑minute fire drills and helps leaders feel confident in what they’re attesting to. When gaps do appear, a dedicated GRC team can step in quickly to organize evidence, strengthen processes, and guide the organization toward a smooth, timely filing this year and an even easier one next year.

A Smarter, More Reliable Path to NYDFS Compliance

For many organizations, especially those with small or stretched teams, GRC support makes NYDFS certification preparation far easier. A structured GRC program or partner helps organize evidence, update policies, and bring consistency to processes that may otherwise be informal or fragmented.

GRC also aligns IT, compliance, risk, and leadership, so everyone is working from the same playbook. Organizations that invest in GRC early experience fewer surprises with NYDFS and other regulators. Make sure to submit your NYDFS cybersecurity certification on time every year, by April 15 to stay in compliance and avoid unnecessary regulatory issues.

To read more on GRC, check out our other resources: 

• What is GRC?

• Usherwood's GRC page