Cybersecurity Regulation Exemptions

23 NYCRR 500.19

Section 19 of the DFS cybersecurity regulation contains several exemptions. Each have been crafted to meet the particular circumstances of the Covered Entity, including smaller organizations, licensed persons who are following the cybersecurity program of another regulated company, or those who do not have any Information Systems and Nonpublic Information. These exemptions have been tailored to address these particular circumstances. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation.

Filing Requirements

All regulated persons and companies that wish to claim an exemption must file with DFS a Notice of Exemption stating their current exempt status prior to the certification deadline of February 15, 2019. Previously filed exemptions are set to expire and must be refiled. No Notice of Exemption filed in 2017 or 2018 need to be removed or terminated. Any DFS regulated entities or licensed person that is entitled to an exemption must file an initial exempt status during January 2019 prior to filing their annual certification. Thereafter, changes in this status should be made through an amendment or termination filing.


How to File

The DFS Cybersecurity Portal has been redesigned assist you with your filings. To ensure that filings are matched to the appropriate Covered Entity or licensed person, we encourage the use of an identifying number when filing. Identifying numbers are: New York State License number, NAIC/NY Entity number, NMLS number or Institution number. Please make sure that you have your license number available when you make your filing. A look-up feature is included in the Portal for anyone who does not know which number to use.

Exemptions filed in 2017 and 2018 have expired. Any DFS regulated entity or licensed person that is currently entitled to an exemption must file an Initial Notice of Exempt status prior to the due date for annual Certificates of Compliance on February 15, 2019.

To get started please visit the DFS Cybersecurity Portal:

Cyber Notice Exemption Instructions (PDF)


Exemption Guidance

To complete a Notice of Exemption, you must identify all exemptions that meet your circumstances. The following are explanations of the exemptions provided for in 23 NYCRR 500.19:

500.19(a)(1)

You are entitled to this exemption when a Covered Entity has fewer than 10 employees, including independent contractors.  This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance.

500.19(a)(2)

You are entitled to this exemption when a Covered Entity has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years from NY business.  This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance.

500.19(a)(3)

You are entitled to this exemption when a Covered Entity has less than $10,000,000 in year-end total assets.  This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance.

500.19(b)

You are entitled to this exemption when you are an employee, agent, representative or designee of another Covered Entity and you are following that entity’s cybersecurity program.  Under this exemption persons do not need to create their own program, but will be required to identify the Covered Entity’s whose program you are following to claim this exemption.  This exemption requires an employee, agent, representative or designee to be fully covered by the program of another Covered Entity. To submit a Notice of Exemption under 500.19(b) you will be required to provide the name and address of the covered entity that supports the cybersecurity program you are following and the name of an appropriate representative who can confirm that cybersecurity program.

500.19(c)

You are entitled to this exemption if you are a Covered Entity that does not utilize an Information System and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information.  This is a limited exemption and you must still complete an annual risk assessment to confirm that the company continues to be entitled to this exemption and meet some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance.

500.19(d)

A captive insurance company that does not control nonpublic information other than information relating to its corporate parent company.  This is a limited exemption and you must still complete an annual risk assessment to confirm that the company continues to be entitled to this exemption and meet some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance.

Chart of Required Provisions

Below is a chart that includes the provisions of the regulations that you still need to comply with if you are eligible for any exemptions.

Exemption

Exempt From

Still Required

500.19 (a) (1) Fewer than 10 employees working in NYS

500.04- Chief Information Security Officer 
500.05- Penetration Testing and Vulnerability 
Assessments 
500.06- Audit Trail 
500.08- Application Security 
500.10- Cybersecurity Personnel and 
Intelligence 
500.12- Multi-Factor Authentication 
500.14- Training and Monitoring 
500.15- Encryption of Nonpublic Information 
500.16- Incident Response Plan

500.02- Cybersecurity Program 
500.03- Cybersecurity Policy 
500.07- Access Privileges 
500.09- Risk Assessment 
500.11- Third Party Service Provider Security Policy 
500.13- Limitations on Data Retention 
500.17- Notices to Superintendent 
500.18- Confidentiality 
500.19- Exemptions 
500.20- Enforcement 
500.21- Effective Date 
500.22- Transitional Periods 
500.23- Severability

500.19 (a) (2) Less than $5 million in gross annual revenue

500.19 (a) (3) Less than $10 million in year-end total assets


Exemption

Exempt From

Still Required

500.19 (c) Does not control any information systems and nonpublic information 

500.02- Cybersecurity Program 
500.03- Cybersecurity Policy 
500.04- Chief Information Security Officer 
500.05- Penetration Testing and Vulnerability Assessments 
500.06- Audit Trail 
500.07- Access Privileges 
500.08- Application Security 
500.10- Cybersecurity Personnel and Intelligence 
500.12- Multi-Factor Authentication 
500.14- Training and Monitoring 
500.15- Encryption of Nonpublic Information 
500.16- Incident Response Plan

500.09- Risk Assessment 
500.11- Third Party Service Provider  Security Policy 
500.13- Limitations on Data Retention 
500.17- Notices to Superintendent 
500.18- Confidentiality 
500.19- Exemptions 
500.20- Enforcement 
500.21- Effective Date 
500.22- Transitional Periods 
500.23- Severability

500.19 (d) Captive insurance companies that do not control nonpublic information other than information relating to its corporate parent company


Filings of Behalf of Others | Bulk Exemption Filings

In some cases, an employer may opt to file an exemption with DFS on behalf of its employees through the Bulk Submission process. Covered Entities must request access to this functionality.  If a Notice of Exemption is filed on your behalf, you will receive an email from DFS confirming the filing.  The email will include a receipt number as well as list the exemption(s) filed. It is the licensed person’s responsibility to update DFS if their exemption status changes due to a change in employment or any other factor.

Changing or Terminating a Filed exemption

After an initial Notice of Exemption is filed it can be amended or terminated through the DFS Cybersecurity Portal.  The amendment option should be used when the exempt status changes, but the person or entity remains entitled to an exemption.  Amending an exemption will leave at least one exemption in place.  Terminating an exemption will cancel all previously filed exemptions, including those filed through the Bulk process.  Click here to see Instructions on filing, amending and terminating exemptions (link)

What to file if you are licensed by DFS but not currently working in that field

500.19(c) applies to any regulated entity or licensed person that does not maintain any Information Systems and does not possess any Nonpublic Information. 

People who are currently licensed but not actively utilizing such license may fall into this category provided they are not maintaining nonpublic information concerning former or potential consumers or otherwise maintaining information or systems covered by the regulation. 

This is a partial exemption and still requires that the covered entity or licensed person comply with certain provisions of the Regulation (see chart above).  These include the requirement to conduct a Risk Assessment and submit an annual Certification of Compliance to the Superintendent.