(b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by [February] April 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

Appendix A is amended to read as follows:

(Covered Entity Name)

[February] April 15, 20___

Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations The Board of Directors or a Senior Officer(s) of the Covered Entity certifies:

(1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary;

(2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of (name of Covered Entity) as of ___ (date of the Board Resolution or Senior Officer(s) Compliance Finding) for the year ended ___ (year for which Board Resolution or Compliance Finding is provided) complies with Part ___.

Signed by the Chairperson of the Board of Directors or Senior Officer(s)

(Name) ___________ Date: ___________

(DFS Portal Filing Instructions)

This proposed rulemaking makes only a technical change, specifically changing from February to April the date by which certificates of compliance required to be submitted to the Department under Part 500 are to be received. As this has no impact on the substantive requirements under Part 500 and merely changes the date on which certifications must be received, and gives Covered Entities more, rather than less time, no person is likely to object to the adoption of this amendment.

Accordingly, this rulemaking is determined to be a consensus rulemaking, as defined in State Administrative Procedure Act (“SAPA”) § 102(11), and is proposed pursuant to SAPA § 202(1)(b)(i). Therefore, this rulemaking is exempt from the requirement to file a Regulatory Impact Statement, Regulatory Flexibility Analysis for Small Businesses and Local Governments, or a Rural Area Flexibility Analysis.

The proposed amendment to Part 500 should have no impact on jobs and employment opportunities. This proposed rulemaking would merely change the date on which the certifications of compliance must be submitted. Further, the proposed rulemaking would extend, rather than shorten the time provided to Covered Entities to submit any required certification of compliance. Therefore, the Department has determined that any small effect this regulation would have on jobs or employment opportunities would be to the benefit of Covered Entities and would thus have a positive impact on the same.