Industry Letter

Guidance Letter

May 13, 2024

To: DFS-Regulated Independent Insurance Agents and Mortgage Loan Originators

Re: Resource to Assist Small Businesses with Development of Cybersecurity Program, Pursuant to DFS Cybersecurity Regulation

The New York State Department of Financial Services’ (DFS) Cybersecurity Regulation 23 NYCRR Part 500 (Cybersecurity Regulation) requires covered entities, including individual licensees and single person regulated entities, to maintain a cybersecurity program.*

Pursuant to the Cybersecurity Regulation, covered entities must maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.

To assist individual licensees and single person regulated entities in creating a cybersecurity program, DFS has developed a model Cybersecurity Program Template. This resource prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the Cybersecurity Regulation. The template also includes frameworks for developing and tracking asset inventories, risk assessments, multi-factor authentication exceptions, and third-party service providers. This template is not a substitute for independently evaluating any business, legal, or other issues, and completion does not assure compliance with the Regulation.  

The Cybersecurity Program Template is available to download via the Department’s Cybersecurity Resource Center. For more information about the Cybersecurity Regulation, including its requirements, please visit the DFS website.  

*Note: Entities with full exemptions pursuant to Section 500.19(b), (e) or (g), or limited exemptions pursuant to Section 500.19(c) or (d), are not required to maintain a cybersecurity program. The Department’s 'Am I Exempt from DFS's Cybersecurity Regulation?' Flowchart can help licensees determine their exemption qualification.