Home
Pricing
Talk to our team
Compliance Hub

NY DFS Annual Certification: What It Is and How to Prepare

Espresso Labs Team
3 min read
NY DFS Annual Certification: What It Is and How to Prepare

Under 23 NYCRR 500, every covered entity must submit an annual certification of compliance to the New York Department of Financial Services by February 15 of each year, covering the prior calendar year. The 2023 amendments significantly changed what this certification requires — moving from a simple checkbox to a more detailed attestation process with real legal and regulatory consequences.

What the Annual Certification Requires

The annual certification is submitted through the DFS online portal. Under the current rules, covered entities must:

  1. Certify full compliance: The CISO or equivalent certifies that the cybersecurity program materially complied with all applicable requirements of 23 NYCRR 500 during the prior calendar year.

  2. Or submit a notice of acknowledgment: If there are areas of non-compliance, the covered entity may instead submit an acknowledgment identifying the specific sections where it is not in compliance, with a remediation plan and timeline.

The choice between a full certification and a notice of acknowledgment is not a technicality — submitting an inaccurate full certification can expose the company and its executives to enforcement action, while a notice of acknowledgment starts the clock on remediation commitments.

What Documentation You Need

Before your CISO can sign the certification, you need documentation to support each material assertion. This typically includes:

Governance Documentation

  • Board-approved cybersecurity policy (current version)
  • Board meeting minutes or resolutions showing cybersecurity was presented to the board
  • CISO annual board report (demonstrating the annual board reporting requirement was met)
  • Risk assessment results for the certification year

Technical Control Evidence

  • MFA enrollment reports showing coverage of all privileged accounts and remote access
  • Encryption configuration records showing NPI is encrypted in transit and at rest
  • EDR deployment records showing coverage across covered systems
  • PAM system reports showing privileged account controls are in place
  • Access review results showing least-privilege access and removal of unnecessary accounts

Testing and Monitoring Evidence

  • Penetration testing report from the current year, signed by a qualified tester
  • Quarterly vulnerability scan results
  • Audit log retention confirmation

Third-Party Vendor Records

  • Vendor inventory with classifications
  • Vendor security assessment results for critical providers
  • Contractual security requirement documentation

Incident Response Evidence

  • Current incident response plan (dated, reviewed)
  • Tabletop exercise results or equivalent annual test documentation

Common Certification Mistakes to Avoid

Certifying before controls are actually in place: Some organizations sign the certification without verifying that required controls like MFA on all privileged accounts are actually deployed. The DFS has cited this as a basis for enforcement actions.

Missing the February 15 deadline: The deadline is fixed. Late certifications should be submitted as soon as possible with an explanation, but late filing can be cited in examinations.

Incomplete vendor documentation: The 2023 amendments added vendor management requirements. If your vendor risk assessments aren’t current or don’t cover critical providers, the certification may be inaccurate.

Board reporting gap: The CISO must report to the board (not just to management). If this step was skipped or only done at the management level, you may not meet the requirement.

How the DFS Uses the Certification

The DFS uses certifications to prioritize examination activity. Entities that submit notices of acknowledgment with significant gaps may receive more attention. Entities where the certification doesn’t match the DFS’s own examination findings may face enforcement action.

The DFS has imposed substantial penalties on covered entities — including multi-million dollar settlements — for misrepresenting compliance status in certifications. The certification process is taken seriously by regulators.

How Espresso Labs Helps

Espresso Labs manages the continuous compliance work that makes the annual certification straightforward. By the time February 15 arrives, our clients have current documentation, verified technical control deployment, recent penetration testing results, and vendor assessment records — everything the CISO needs to certify with confidence. We can also provide vCISO services if your organization needs an executive-level compliance officer to lead the certification process.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team