The Certification of Material Compliance and the Acknowledgment of Noncompliance are the two annual governance filings required under NYDFS Part 500 § 500.17(b). Together, they form the core mechanism by which NYDFS holds senior leadership accountable for the institution’s cybersecurity posture. Both filings must be submitted by April 15 each year and must be signed by the highest‑ranking executive and the CISO (or, if no CISO exists, the senior officer responsible for cybersecurity).
Certification of Material Compliance
This filing is a formal attestation that the covered entity was in material compliance with all applicable requirements of Part 500 during the prior calendar year. NYDFS defines “material compliance” through regulatory guidance and enforcement practice, emphasizing that:
- The entity must have implemented and maintained the required cybersecurity program.
- Any gaps must not rise to the level of material noncompliance.
- The certification must reflect actual conditions, not aspirational or planned compliance.
NYDFS provides detailed instructions for submitting this certification through the DFS Portal, including account creation and portal access steps.
What the certification represents
Signing the certification means senior leadership is attesting that:
- Cybersecurity policies were approved and implemented.
- Required technical controls (e.g., MFA, logging, vulnerability management) were in place.
- Risk assessments, training, and governance processes were completed.
- Incident reporting obligations were met.
Because the certification is signed by the highest-ranking executive and the CISO, it creates personal accountability for the accuracy of the attestation.
Acknowledgment of Noncompliance
If the entity cannot truthfully certify material compliance, it must instead file an Acknowledgment of Noncompliance.
What the acknowledgment requires
The filing must identify:
- The specific sections of Part 500 with which the entity was not in material compliance.
- The time period during which noncompliance occurred.
- The general nature of the deficiencies.
NYDFS expects entities to maintain internal documentation describing remediation plans, timelines, and corrective actions, even though this detail is not always submitted directly.
Why this filing matters
The acknowledgment is not optional. NYDFS has made clear through enforcement that:
- Filing a certification when the entity is not materially compliant is a false attestation.
- Filing an acknowledgment is not an admission of wrongdoing—it is a required disclosure.
- Failure to file either document is itself a violation.
Governance and accountability implications
These filings are central to NYDFS’s governance model:
- They force senior leadership to engage with cybersecurity risks.
- They create a documented record of compliance status year over year.
- They support NYDFS’s supervisory and enforcement activities.
The Second Amendment (2023) heightened expectations by requiring more detailed internal documentation and by clarifying that senior officers must understand the cybersecurity program well enough to make an informed attestation.
Practical considerations for covered entities
- Internal audits and risk assessments must be completed early enough to support the April 15 deadline.
- CISOs must prepare detailed reports to support executive decision‑making.
- Entities should maintain a defensible record of compliance activities, exceptions, and remediation.
- Vendor‑related gaps, MFA exceptions, and incident response issues often drive the need for an acknowledgment.