Cybersecurity Resource Center
All entities and persons regulated or licensed by the New York State Department of Financial Services are required to file various cybersecurity notices to the Superintendent.
- Memo from the Superintendent (PDF)
- Text of Regulation (PDF)
- Frequently Asked Questions (FAQs)
- Information about 2019 filings
Key Dates for 2019 Filings
January 2019 Covered Entities Must File Notices of Exemption
- Exemptions filed in 2017 and 2018 have expired. Any DFS regulated entity or licensed person that is currently entitled to an exemption must file an Initial Notice of Exemption prior to the February 15, 2019 due date for the annual Certification of Compliance.
February 15, 2019 Compliance Certification Filing Deadline
- Regulated entities and licensed persons must file the Certification of Compliance for calendar year 2018 no later than February 15, 2019.
How to File
The DFS Cybersecurity Portal has been redesigned to assist you with your filings. To ensure that filings are matched to the appropriate Covered Entity or licensed person, we encourage the use of an identifying number when filing. Identifying numbers are: New York State License number, NAIC/NY Entity number, NMLS number or Institution number. Please make sure that you have your license number available when you make your filing. A look-up feature is included in the Portal for anyone who does not know which number to use.
To get started please visit the DFS Cybersecurity Portal:
- New or Initial Exemption Filings (PDF)
- Amend previous Exemption Filings (PDF)
- Terminate previous Exemption Filings (PDF)
- Certification of Compliance (PDF)
Bulk Filing Request
By permission, the Department will approve certain Covered Entities to file notices of exemption on behalf of other Covered Entities. To gain access to the bulk filings, the Covered Entity needs to:
- Have at least 50 employees or captive agents
- Only file on behalf of employees or captive agents
- Only file on behalf of employees or captive agents that qualify for the same exemption
To gain access to the bulk filings, email the Department at [email protected] from the email address associated with your Portal account, and attach a completed Request for Multiple Filing of Notices of Exemption (PDF) Form.
Once approved, the Department will send filing instructions and the template that must be used for filing.
Section 19 of the DFS cybersecurity regulation contains several exemptions. Each have been crafted to meet the particular circumstances of the Covered Entity, including smaller organizations, licensed persons who are following the cybersecurity program of another regulated company, or those who do not have any Information Systems and Nonpublic Information. These exemptions have been tailored to address these particular circumstances. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation.
All regulated persons and companies that wish to claim an exemption must file with DFS a Notice of Exemption stating their current exempt status prior to the certification deadline of February 15, 2019. Previously filed exemptions are set to expire and must be refiled. No Notice of Exemption filed in 2017 or 2018 needs to be removed or terminated. Any DFS regulated entity or licensed person that is entitled to an exemption must file an initial exempt status during January 2019 prior to filing their annual certification. Thereafter, changes in this status should be made through an amendment or termination filing.
Exemptions filed in 2017 and 2018 have expired. January 2019 Covered Entities Must File New Filings, Amend previous filings, Terminate previous filings.
Notices of Exemption
Any DFS regulated entity or licensed person that is currently entitled to an exemption must file an Initial Notice of Exemption prior to the February 15, 2019 due date for the annual Certification of Compliance.
After each filing you complete, you will receive an email that includes a receipt number. The receipt will indicate the year the filing was made. The receipt will also indicate the type of filing made:
- Notices of Exemption will have a receipt number that begins with the letter “E.”
- Certifications of Compliance will have a receipt number that starts with the letter “C.”
We recommend that you maintain a copy of this email in your records for future reference.
If you still have questions about the Cybersecurity filing process or regulation email us at [email protected]