Skip Navigation

NY regulator issues first cybersecurity non-compliance notifications

March 8, 2018
8:40 AM

The New York Department of Financial Services (NYDFS) this week began issuing non-compliance emails, and many IA&B members were recipients. If you did everything by the book but received a notice, notify the New York regulator. If you are not compliant, act quickly. Instructions for both scenarios follow. 

We confirmed with our sister affiliate in New York that any individual who successfully filed for the individual exemption 500.19 (b) last fall should have been excluded from this latest notice.

  • If you did file your individual exemption 500.19 (b) and received an exemption receipt and still received this latest non-compliance notice, send your name and exemption receipt number (number begins with the letter E on your receipt) to
  • If you did NOT file your individual exemption 500.19 (b), file online now.

If you did not file for your limited exemption, file online now.

If you did not file for your annual certificate of compliance, file online now.

If you did file your agency certificate of compliance before Feb. 15, 2018 and have a receipt for the filing (showing a “C”) and still received this latest non-compliance notice, email with the full name of the licensed entity, New York license number, and filing confirmation number.

New York enacted a Cybersecurity Rule in 2017, with staggered compliance deadlines. While most of our members are likely eligible for the limited exemption under the Cybersecurity Rule, that exemption simply means that you are exempt from certain provisions of the rule. It does not mean that the rule does not apply to you. Therefore, you need to comply with a number of items, and do so by specific deadlines, two of which have already come and gone.

Anyone with a license in the state of New York must first determine if they qualify for the limited exemption.

Agencies that qualify for the exemption:

  • Must file a notice of exemption, and so must every staff member individually licensed in New York (was due Oct. 30, 2017)
  • Must file a certificate of compliance annually (was due Feb. 15, 2018)
  • Must establish and implement a cybersecurity program and policy that addresses specific standards as defined in the New York regulation and incorporate periodic risk assessments, procedures that ensure the security of information accessible to third-party service providers, and procedures for the disposal of information
  • Must notify the regulator of a “cybersecurity event,” if and when applicable

If you have failed to file a notice of exemption (individually, for the agency, or both) or have failed to file the certificate of compliance, you likely will be (or already have been) contacted by the NYDFS.

Agencies that don’t qualify for the exemption:
If you cannot claim the limited exemption, then the entire rule applies, and the standards applicable to your cybersecurity program and policy are more stringent.

Our resources can help you comply, both with understanding your obligations and with providing a template for a cybersecurity program covering the standards required by New York.

Access our resources on the regulation