Skip to main content

December 31 NYDFS Deadline:

Compliance Requirements for Limited Exemption Organizations

New York’s cybersecurity regulation, 23 NYCRR Part 500has been evolving rapidly, and 2025 marks a major turning point for organizations operating under the Limited Exemption.

What Limited Exemption Organizations Must Complete by December 31 to Stay Compliant with 23 NYCRR Part 500

Even though exempt companies have fewer administrative burdens than larger financial institutions, the core cybersecurity requirements still apply, and regulators expect them to be taken seriously. 

If your business falls under the Limited Exemption, the end of this year is an important milestone. By December 31, you must have all required cybersecurity controls in place so you can truthfully attest to compliance in your 2026 Certificate of Compliance. 

This isn’t just a regulatory checkbox. New York designed these requirements to reduce real risk, protecting your customers, your business operations, and your reputation. Below is a clear, non-technical breakdown of what you must complete before year-end. 

1. Maintain a Written Cybersecurity Program

Every limited-exemption organization is required to maintain a written cybersecurity program. This doesn’t have to be dozens of pages, but it does need to be: 

  • Documented (not kept in someone’s head) 
  • Aligned to your business operations 
  • Regularly updated 

Your program must explain how you identify, protect, detect, respond to, and recover from cybersecurity threats. Even small companies must show that they have a real cybersecurity structure in place. 

2. Implement Written Policies and Procedures

By December 31, your organization must maintain policies that address the following—at a level appropriate for your size and risk: 

  • Access control (who gets access to what) 
  • Asset inventory (hardware, software, accounts, and data you rely on) 
  • Data retention and secure disposal 
  • Third-party service provider oversight 
  • Business continuity and disaster recovery 
  • Incident response 
  • Change management and system development practices 
  • Monitoring and logging expectations 

These policies can be simple and practical—but they must exist, be approved by leadership, and reflect how you actually work. 

3. Multi-Factor Authentication (MFA) Everywhere It’s Required

One of the most important requirements is multi-factor authentication – especially for: 

  • Email accounts 
  • Remote network access 
  • Administrative access (IT admin tools, cloud portals, etc.) 

If you haven’t deployed MFA universally, that must be completed before year-end. 

4. Annual Risk Assessment

This is a cornerstone requirement, even for exempt companies. Each year, you must perform a risk assessment that: 

  • Identifies your sensitive data and critical systems 
  • Reviews your cybersecurity risks 
  • Determines whether your controls are adequate 
  • Drives updates to your cybersecurity program 

Many organizations mistakenly believe the exemption removes this requirement—it does not. 

Your Certificate of Compliance requires you to confirm that an annual risk assessment was completed. 

5. Annual Cybersecurity Training for All Employees

Every employee must receive cybersecurity awareness training at least once per year. For exempt companies, this can be a simple, practical training session focused on real-world threats like: 

  • Email phishing 
  • Password hygiene 
  • Handling sensitive information 
  • Recognizing suspicious activity 

You must document who took the training and when.

6. Cyber Incident Response Plan

You must maintain a written Incident Response Plan (IRP) that explains: 

  • How you identify and report security incidents 
  • Who is responsible for what during an event 
  • How you contain and recover from cyberattacks 
  • How the business continues operations 

This plan must be reviewed and approved annually. 

7. Notice to the State Within 72 Hours of a Cyber Event

This isn’t something you “complete” by December 31, but you must have the process in place. 

If you experience a cybersecurity event that impacts your operations or customers, you are required to notify the New York Department of Financial Services (NYDFS) within 72 hours. 

Your incident response plan should explain exactly how this notification will occur.

8. Annual Certification of Compliance (Starting in 2026)

In 2026, your executive leadership will sign an official Certificate of Compliance attesting that: 

  • You complied with all applicable requirements in 2025 
  • You implemented all required controls 
  • You conducted your annual risk assessment 
  • You maintained documentation to support your compliance 

This means the work must be completed now, in 2025, to ensure your 2026 certification is accurate. 

NYDFS takes false attestations very seriously, leaders should only sign if they have the documentation to back it up. 

Why This Matters

For many smaller regulated organizations, cybersecurity is often seen as a secondary priority behind revenue, operations, or customer service. But the Limited Exemption does not eliminate the responsibility to secure your environment. 

Failing to implement these controls exposes your business to: 

  • Regulatory fines 
  • Breach notification obligations 
  • Operational downtime 
  • Reputational damage 
  • Loss of customer trust 

The December 31 deadline is more than a compliance date—it’s an opportunity to strengthen your business.

How to Prepare Before the Deadline

Here’s a simple checklist you can use immediately: 

By December 31, verify that your organization has: 

 A written cybersecurity program 
 Approved cybersecurity policies 
 Multi-factor authentication deployed 
 A completed annual risk assessment 
 Annual employee security training 
 An up-to-date incident response plan 
 Vendor oversight procedures 
 Data retention and disposal standards 
 Monitoring and access controls 
 Documentation for each requirement 

If any of these items are missing or outdated, you still have time to correct course. 

Final Thoughts

Companies under the Limited Exemption have a unique advantage: they can meet the regulation with manageable, practical controls, no need for enterprise-grade complexity. But the key is to ensure the work is documented, defensible, and aligned with your business risks before the December 31 deadline. 

If you need help interpreting the requirements, building your documentation, or performing your year-end risk assessment, I’d be happy to guide you through the process.

Table of Contents

Book your compliance review now.

Find out how we help

Don't miss out on our weekly newsletter

For additional help for Black Friday & Cyber Monday

Call us today