The first amendment to NYDFS Part 500, adopted in April 2020, was a narrow, administrative update that changed only one requirement: the deadline for filing the annual certification of compliance. It did not alter any substantive cybersecurity obligations.
What the first amendment changed
- Annual Certification Deadline Moved
NYDFS shifted the deadline for the annual Certification of Compliance from:
- February 15 → April 15 (each year)
This gave covered entities an additional two months to complete internal reviews, finalize documentation, and submit the required certification.
Why the amendment was made
NYDFS explained that the cybersecurity landscape had evolved significantly since Part 500 was first enacted in 2017, with:
- Increasingly sophisticated threat actors
- Greater prevalence of cyberattacks
- Lower barriers to launching attacks (e.g., ransomware-as-a-service)
- More available cybersecurity controls at reasonable cost
While these broader trends motivated later, more substantive amendments (especially the 2023 “Second Amendment”), the 2020 amendment itself was limited to adjusting the filing date.
What the amendment did not change
The first amendment did not modify:
- Definitions
- Technical requirements (MFA, encryption, penetration testing, etc.)
- Governance requirements (CISO, policies, board oversight)
- Exemptions
- Incident reporting obligations
All substantive cybersecurity requirements remained exactly as originally enacted in 2017.
Practical impact for covered entities
The amendment primarily affected compliance operations:
- More time to complete annual internal assessments
- Better alignment with fiscal-year audit cycles
- Reduced administrative pressure during early-year reporting periods
For most organizations, this was a procedural convenience rather than a shift in regulatory expectations.