Skip Navigation

Complicated compliance with New York’s cyber reg

September 28, 2017
11:45 AM

The compliance deadlines associated with the New York Cybersecurity Regulation for Financial Services Companies are sliding by. What’s more, individual producers are on the hook – not just agencies.

Without providing additional notice, the New York Department of Financial Services (NYDFS) just this month clarified its interpretation of the regulation – which mandates that individual licensees file an individual exemption, in addition to their agency’s exemption. Bottom line: If you hold a New York license (resident or non-resident, individual or agency), you are impacted.

As previously reported in Agent Headlines, the first requirement – to create a cybersecurity program – was due late last month.

Yesterday, the NYDFS extended the deadline for the second requirement: to file a Notice of Exemption (for those individuals and agencies which qualify for the regulation’s limited exemption). Originally required by Wednesday, Sept. 27, the filing deadline is now Monday, Oct. 30.

The regulation includes “limited exemptions” (Section 500.19), depending on the extent of business done in New York. Under §500.19 (a), the exemptions are available for those agencies which have:

  1. Fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
  2. Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
  3. Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.

Note that even “exempted” agencies must comply with numerous provisions, including having a cybersecurity program. The limited exemption only modifies the extent of the program.


  1. Every individual producer holding a N.Y. license (resident or non-resident) must file an exemption if they intend to rely on their agency’s cybersecurity program (the exemption will be based on section 500.19(b) of the regulation). This can be done by:
  • Filing with the DFS,
  • Creating an account,
  • Choosing Cybersecurity Notice of Exemption,
  • Typing the first letters of your name and choosing from the drop-down menu, and
  • Selecting the exemption under Section 500.19(b).
  1. Every agency holding a N.Y. license (resident or non-resident) should file for a limited exemption, if applicable. The same link can be used, but you will identify the agency instead of the individual licensee (with either your N.Y. agency license or FEIN number). The exemption will be based on section 500.19(a)(1),( 2) or (3) of the regulation, depending on which criteria apply to your agency, and
  2. Every agency holding a N.Y. license (resident or non-resident) must design and implement a cybersecurity program.

If you’re impacted, act quickly to comply. Then review our synopses of additional critical deadlines:

In addition, the New York Department of Financial Services (NYDFS) created an online resource, which includes a link to an FAQ and applicable contact information for the NYDFS at the bottom of the webpage.