NYDFS Part 500 software so you can sign the certification and stand behind every word.
Once a year you and your CEO sign the §500.17 certification, jointly, under penalty, attesting to material compliance with Part 500. If DFS later finds a gap, that signature is personal. The question is whether you can prove the certification was backed by evidence, or whether you signed and hoped. RiskWatch captures the materiality call on every section and the audit trail both signers see, all year, so April 15 is a confirmation you can defend, not a leap of faith. (Covers all 23 NYCRR Part 500 sections post-2023, the 8 examiner document types, and dual-signature certification. $144M+ in DFS fines since 2021 across 27 consent orders.)
- All 23 NYCRR Part 500 sections (post-2023 amendments)
- CISO + CEO dual-signature certification with audit-trail-grade evidence
- 8 examiner document types maintained continuously
- Material-compliance assessment per section · officer-defense documentation
What is NYDFS Part 500 compliance software?
§500.17 is the regulator’s nightmare, CISO and CEO sign jointly. RiskWatch makes the materiality assessment defensible per section, captures the dual-signature audit trail both signers see, and produces all 8 of the document types DFS examiners always request. Most teams have 3 of 8 ready when the examiner shows up. Aligned to 23 NYCRR Part 500 across all 23 sections, with officer-defense documentation captured continuously.
Part 500 stopped being a corporate problem. It is now your signature on the line.
The 2023 amendments moved the risk from the company to the people who sign. When DFS finds any Part 500 violation, it routinely stacks a certification-violation charge on top, which puts the CISO and CEO who signed in personal jeopardy. The examiner then asks for 8 specific document types, and most teams can produce 3. Here is where that exposure builds, and how RiskWatch closes it before the exam. ($144M+ in DFS fines since 2021 across 27 consent orders.)
CISO + CEO dual-signature on the certification. Personal liability.
The 2023 Second Amendment requires both CEO and CISO to sign the annual certification, and certification must be based on data and documentation sufficient to demonstrate “material” compliance. Dual-signature workflow with evidence-backed certification, neither signer attests to anything not backed by audit trail.
Examiners ask for 8 specific documents. Most teams have 3.
DFS examiners routinely request: cybersecurity policy, system architecture and data flow diagrams, IR + BCDR plans, risk assessment reports, CISO board reports + governance minutes, training logs + access recertifications, annual cert justifications, third-party assessments. All 8 maintained continuously, examiner-aligned format, audit-trail-grade.
Material compliance qualifier ≠ partial compliance. DFS adds cert violations on top.
The June 2023 amendment added “material” to the certification standard. But DFS often adds certification-violation charges whenever it finds any other Part 500 violation, exposing executives to personal jeopardy. Materiality assessment per section, with the audit trail showing what was material vs immaterial, defensible if DFS challenges the cert.
Both signers attest. Both face personal liability.
The 2023 amendments require CEO and CISO to sign the annual certification jointly. Each signature carries personal liability for material compliance. Both signers see the same audit trail, materiality assessments per section, supporting evidence for every assertion, and the officer-defense documentation that proves the certification was based on data, not just attestation.
When DFS challenges a certification (which happens, DFS adds certification-violation charges on top of any other Part 500 violation), the audit trail is what defends both officers. The platform captures it continuously throughout the year so April 15 cert is confirmation, not retrospective justification.
What DFS always asks for. Most teams have 3 of 8.
The DFS examiner document request is consistent across examinations: cybersecurity policy + program, system architecture diagrams, IR + BCDR plans, risk assessments, CISO board reports, training logs + access recertifications, cert justifications, and third-party assessments. Most NY-licensed FIs have policy + IR + risk assessments, and scramble for the rest the week before the exam.
The platform maintains all 8 continuously in DFS-aligned format. When examiners arrive, you hand them a current pack, not a 90-day-old one with stale dates that triggers follow-up requests.
Every document DFS asks for, mapped to its Part 500 section.
The 8 document types DFS examiners routinely request, as a table. Each document, the Part 500 section it answers to, and the cadence RiskWatch keeps it current. Most teams have 3 of 8 when the examiner arrives.
| # | Examiner document type | Part 500 section | RiskWatch keeps current |
|---|---|---|---|
| 1 | Cybersecurity Policy + Program | §500.2 / §500.3 | Q4 2026 |
| 2 | System Architecture + Data Flow Diagrams | Network topology + data classification | Q3 2026 |
| 3 | IR + BCDR Plans | §500.16 | Q4 2026 |
| 4 | Risk Assessment Reports | §500.9 | Q3 2026 |
| 5 | CISO Board Reports + Governance Minutes | §500.4 | Q4 2026 |
| 6 | Training Logs + Access Recertifications | §500.14 + §500.7 | Q4 2026 |
| 7 | Annual Cert Justifications | §500.17, material-compliance evidence | Apr 2026 |
| 8 | Third-Party Service Provider Assessments | §500.11 | Q4 2026 |
The dual-signature workflow gave both of us the same audit trail. CEO signed because the evidence was there. CISO signed because there was no surprise gap.
NYDFS Cert + Examiner Pack
Twenty-six page pack covering all 23 sections + dual-signature workflow + materiality assessment template + all 8 DFS examiner document types in DFS-aligned format.
- Per-section materiality template
- Dual-signature workflow
- 8 examiner-doc templates
- Officer-defense doc guide
Looking for NYDFS ↔ NIST CSF ↔ FFIEC ↔ GLBA crosswalk? Find it on the compliance frameworks hub.
Common questions, answered up front.
About NYDFS 23 NYCRR Part 500, the 2023 amendments, dual-signature certification, examiner documentation, and how RiskWatch covers all of them.
What is NYDFS Part 500 compliance software?
What changed in the 2023 amendments?
What 8 document types do DFS examiners request?
How does the dual-signature certification work?
Is there a free trial?
Build your certification pack this week.
Start a 30-day free trial, all 23 Part 500 sections, dual-signature certification workflow, examiner document templates, MFA tracker, third-party oversight, and cross-mapping. No credit card required.
No credit card required · 30-day free trial · Cancel anytime