NYDFS 23 NYCRR Part 500 - Cybersecurity Program and Compliance Statement

1. Applicability Statement

Applicability. JIL Sovereign Technologies, Inc. is a Delaware technology corporation and is not currently a Covered Entity under 23 NYCRR Part 500 because it does not hold a license, registration, charter, or similar authorization from the New York State Department of Financial Services (NYDFS). JIL does not operate as a bank, money transmitter, virtual currency business, insurance company, or other regulated financial entity under New York Banking Law, Insurance Law, or Financial Services Law.

Voluntary adoption. Notwithstanding the above, JIL has voluntarily elected to adopt the Part 500 framework as its cybersecurity program governance standard. This document constitutes JIL’s voluntary compliance statement against the Part 500 requirements. Institutional counterparties relying on JIL as a third-party service provider benefit from this voluntary posture even where JIL is not subject to the regulation directly.

Updates. If JIL later becomes a Covered Entity (for example, through obtaining a BitLicense, money transmitter license, or similar authorization), this voluntary program converts to the formal annual certification required under 23 NYCRR 500.17(b).

2. Cybersecurity Program (23 NYCRR 500.02)

JIL maintains a written cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems and the nonpublic information stored in them. The program is:

• Based on the organization’s periodic risk assessment (Section 9)
• Approved and overseen by a senior officer (the CISO, per Section 4)
• Subject to annual review and update
• Documented in written policies (Section 3) and supported by implementing procedures

The program addresses the core functions of identifying internal and external cybersecurity risks; using defensive infrastructure to protect information systems; detecting cybersecurity events; responding to events; recovering from events; and fulfilling regulatory-reporting obligations.

3. Cybersecurity Policy (23 NYCRR 500.03)

The following written policies are maintained and reviewed annually by the CISO. Copies are available to institutional counterparties under non-disclosure agreement.

4. Chief Information Security Officer (23 NYCRR 500.04)

Designation. The Board of Directors of JIL Sovereign Technologies, Inc. has designated a qualified individual to serve as Chief Information Security Officer:

• Name: Jeffrey Mendonca
• Title: Chief Information Security Officer
• Designation Date: 2026-01-01
• Reports To: Chief Executive Officer and Board of Directors

Responsibilities. The CISO oversees the Cybersecurity Program, its implementation, its policies, and the annual risk assessment. The CISO reports to the Board at least annually on material cybersecurity risks, the overall effectiveness of the program, and material cybersecurity events during the reporting period.

5. Penetration Testing and Vulnerability Assessments (23 NYCRR 500.05)

Penetration testing. Internal and external penetration testing is conducted at least annually, with continuous internal probes documented in docs/architecture/VALIDATION_AND_PENTEST.md (Section 11 of the Current-State Architecture). The most recent pen-test cycle:

• Completed: 2026-04 (internal, continuous)
• Scope: Public HTTP surface, API endpoints, admin authentication paths, database access layer
• Findings: 1 SEV-1 (remediated same-day: SQL injection via CTE in /api/db/query); 3 SEV-3 findings (remediated within 30 days)

Vulnerability assessments. Bi-weekly dependency scanning via npm audit and pip-audit; continuous monitoring via SentinelAI Fleet Inspector. Critical vulnerabilities are remediated within 7 days; high-severity within 30 days.

6. Audit Trail (23 NYCRR 500.06)

Audit records. JIL maintains audit records of:

• All administrative access to production systems (SSH, admin API keys)
• All Verdict Engine evaluations (111-check attestations) with cryptographic signatures
• All validator-quorum signing events
• All SDV object writes and retrievals

Retention. Audit records are retained for 15 years minimum, substantially exceeding the Part 500 standard of 5 years. Retention exceeds BSA, FATF, HIPAA, and NYDFS floors.

Integrity. Records are hash-chained with SHA-256 and anchored to the JIL L1 blockchain. Tampering is detectable via Merkle-root verification.

7. Access Privileges (23 NYCRR 500.07)

Principle of least privilege. Access to production systems is granted on a role-based, need-to-know basis. Roles are defined in config/fleet-registry.json and apps/central-portal/src/index.ts (RBAC middleware).

Quarterly reviews. Access privileges are reviewed quarterly; departed personnel access is revoked within 24 hours of separation.

Privileged-account safeguards. Production SSH requires Yubikey FIDO2 or PIV 9a hardware authentication. Admin API access requires the x-admin-key header plus mTLS. Cryptographic signing operations require 2-of-3 MPC threshold signatures (no single party can sign).

8. Application Security (23 NYCRR 500.08)

Secure-by-design development. JIL uses a written Systems and Application Development Policy (Section 3, item 8). Requirements:

• All code reviewed before merge to main
• Inputs validated at every API boundary (Zod schemas + rate limiting)
• No secrets in source control (enforced via pre-commit hooks)
• Signed Docker images pinned by digest in the JILHQ registry
• Post-deployment monitoring via SentinelAI Fleet Inspector

Testing. OWASP API Security test bank applied to every API endpoint; results documented in Section 11 of the Current-State Architecture.

9. Risk Assessment (23 NYCRR 500.09)

Annual formal risk assessment. The CISO conducts a formal risk assessment at least annually. The assessment:

• Identifies reasonably foreseeable internal and external cybersecurity risks
• Evaluates the confidentiality, integrity, and availability implications of identified risks
• Documents adequacy of existing controls
• Records residual risks and the basis for acceptance

Periodic updates. Risk assessment is updated when material business or technical changes occur, and at minimum annually.

Latest assessment: 2026-Q1 (on file with the CISO).

10. Cybersecurity Personnel and Intelligence (23 NYCRR 500.10)

Qualified personnel. JIL’s cybersecurity function is staffed by individuals with appropriate expertise. The CISO reviews staffing adequacy at least annually.

Training. All personnel with production access complete annual security training covering social engineering, phishing, password hygiene, incident reporting, and data handling.

Threat intelligence. JIL subscribes to and monitors:

• OpenSanctions adverse media feed
• FATF typology updates
• OFAC SDN daily refresh
• FinCEN advisories
• CISA / US-CERT alerts

11. Third-Party Service Provider Security Policy (23 NYCRR 500.11)

Third-party inventory. All third-party service providers with access to JIL Nonpublic Information or production systems are inventoried. Critical providers (Hetzner, Cloudflare, payment processors, Google Translate) are reviewed annually.

Due diligence. Each critical provider is evaluated against:

• Security posture (external certifications; ISO 27001 / SOC 2 available)
• Data protection practices (encryption; data residency)
• Incident notification SLAs
• Sub-processor obligations

Contractual requirements. Contracts with third parties include security and confidentiality obligations. Data Processing Addenda are executed where applicable.

12. Multi-Factor Authentication (23 NYCRR 500.12)

MFA is enforced for:

13. Limitations on Data Retention (23 NYCRR 500.13)

Data retention policy. Customer Nonpublic Information is retained only as long as necessary to provide the service or meet legal obligations.

JIL’s retention floors:

• 15 years for cryptographic verdict records and audit trails (exceeds Part 500 standard)
• 7 years for customer billing and tax records
• 24 months for operational logs and metrics (beyond this, only hashed summaries retained)
• Immediate purge for unsuccessful onboarding attempts after 30 days

14. Training and Monitoring (23 NYCRR 500.14)

User training. Annual security awareness training for all personnel. Phishing simulations conducted quarterly.

Monitoring. Production systems are monitored continuously for:

• Anomalous authentication attempts (SentinelAI threat scoring)
• Anomalous API usage patterns (rate-limit breaches, unusual endpoints)
• Validator-quorum byzantine behavior
• Unauthorized configuration changes (fleet-registry integrity)

15. Encryption of Nonpublic Information (23 NYCRR 500.15)

Encryption in transit. All traffic to and from production systems uses TLS 1.2 or higher. mTLS is used for service-to-service communication inside the JIL cluster.

Encryption at rest. AES-256-GCM is used for:

• Customer-submitted verdict records (written to vendor SDVs)
• Validator key material
• Backups to Hetzner Object Storage
• Database dumps
• MPC key shards

Post-quantum forward-compatibility. Cryptographic signing uses a hybrid scheme: Ed25519 (classical) + CRYSTALS-Dilithium Level 3 (post-quantum, NIST FIPS 204). This forward-compatibility protects records for the 15+ year retention horizon even against future quantum adversaries.

16. Incident Response Plan (23 NYCRR 500.16)

Written plan. Incident Response Plan is maintained by the CISO. It addresses:

• Internal processes for responding to Cybersecurity Events
• Goals of the response
• Roles, responsibilities, and escalation paths
• External and internal communications plans
• Remediation activities
• Documentation and reporting
• Evaluation and revision post-incident

Tested annually. Tabletop exercises conducted at least annually. Post-incident reviews are documented and fed back into program improvements.

17. Notices to Superintendent (23 NYCRR 500.17)

Applicability. JIL is not currently subject to the filing requirements of Section 500.17 because it is not a Covered Entity (see Section 1 Applicability Statement above).

Voluntary equivalent. Should JIL become a Covered Entity, the annual certification required under 500.17(b) would be filed by April 15 following the end of the previous calendar year. Material Cybersecurity Events would be reported within 72 hours.

Current practice. JIL notifies institutional counterparties of material Cybersecurity Events affecting their data within 72 hours of discovery as a contractual best-practice, even absent regulatory requirement.

18. Confidentiality (23 NYCRR 500.18)

This document and its supporting policies, procedures, and evidence are maintained confidentially. Public summaries (this document) may be distributed. Detailed policy texts, evidence logs, and incident reports are provided only to qualified reviewers under non-disclosure agreement.

19. Applicability Recap

As stated in Section 1, JIL Sovereign Technologies, Inc. is not currently a NYDFS Covered Entity. This document describes JIL’s voluntary compliance posture. The Part 500 framework is adopted as the operating governance standard for JIL’s cybersecurity program because of its comprehensive applicability to institutional-grade information systems and its recognition among JIL’s institutional counterparty base.

20. Certification

The undersigned CISO certifies that, to the best of their knowledge, JIL Sovereign Technologies, Inc.’s Cybersecurity Program, as described above, is implemented and operational as of the effective date of this document, and materially meets the requirements of 23 NYCRR Part 500 on a voluntary basis.

Certified by:

Jeffrey Mendonca Chief Information Security Officer JIL Sovereign Technologies, Inc. (Delaware)

Date: 2026-04-19

This document will be reviewed and re-certified annually, by April 15 of each year, coinciding with the Part 500 standard certification cycle. Updates to the cybersecurity program or material changes in organizational posture will trigger interim updates to this document.