Navigating NY DFS Part 500.17: Notice to Superintendent

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.17(a): Notice to Superintendent (Deadline: August 28, 2017)

This section is relatively simple, despite much of it being open to interpretation. It requires the covered entity to notify the superintendent within 72 hours of a cybersecurity event that:

  1. impacts the covered entity in such a way that requires notice to any government body, self-regulatory agency, or any other supervisory body; or
  2. has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.

Section 500.17(b): Notice to Superintendent (Deadline: February 15, 2018)

This section requires the covered entity to file a report annually (by February 15) that covers the prior calendar year. This report must utilize the form provided in Appendix A of 23 NYCRR 500 and certify the covered entity is in compliance with 23 NYCRR 500.

Records, schedules, and data supporting this report must be maintained for five years. If the covered entity identifies material improvements, updates, or redesigns to be made to areas, systems, or processes, the covered entity must document the identification and remedial efforts planned and underway to address them. This documentation must be available for inspection by the superintendent.