“Covered Entities” that have not yet submitted a certification of compliance for the New York Department of Financial Services’ NYDFS 500 Cybersecurity Regulation (also known as 23 NYCRR 500) received a none-too-gentle “reminder” earlier this month that they need to do so “as soon as possible.”
Further, the notice stated that failure to certify compliance would be viewed as indicative of a “substantive deficiency” in the organization’s cybersecurity program.
In its FAQ online, the DFS states:
“The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification.”
Unlike many other cybersecurity frameworks that recognize “progress” towards compliance, the NYDFS 500 cybersecurity regulation has put a firm stake in the ground: either you’re in, or you’re out.
Inflexible regulations often end up falling short of the ultimate goal that created a need for the regulation in the first place—to create a safe and fair environment for people and companies to conduct business.