N.Y. Comp. Codes R. & Regs. tit. 23, § 500.17
(2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable.
(b) Notice of compliance.
(1) Annually each covered entity shall submit to the superintendent electronically by April 15 either:
(i) a written certification that:
(ii) a written acknowledgment that:
(3) Each covered entity shall maintain for examination and inspection by the department upon request all records, schedules and other documentation and data supporting the certification or acknowledgment for a period of five years, including the identification of all areas, systems and processes that require or required material improvement, updating or redesign, all remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.
(c) Notice and explanation of extortion payment.
Each covered entity, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity, shall provide the superintendent electronically, in the form set forth on the department’s website, with the following:
(a) Notice of cybersecurity incident.