hands on a keyboard protected by a lock image

Cybersecurity Resource Center

Cybersecurity Resource Center
SHARE

Introduction

Cybersecurity Compliance Submissions Notice: If you are experiencing password login issues when trying to submit your annual cybersecurity filing, visit the Lost Passwords and Locked Accounts Portal page and follow the instructions. You will need a DFS Portal account to submit a cybersecurity filing via the DFS Portal – your LINX username and password will not work to access DFS Portal. The system is currently experiencing a high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your filing, please try again.

On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”). Part 500 was amended for the first time in April 2020 to change the date of the required annual certification filing from February 15 of each year to April 15. 

Since the regulation was adopted, the cybersecurity landscape has changed tremendously as threat actors have become more sophisticated and more prevalent, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate, and additional cybersecurity controls are available to manage cyber risk at reasonable cost. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves. As a result, Part 500 was amended again, effective November 1, 2023.

Notably, DFS-regulated individuals and entities required to comply with the amended Cybersecurity Regulation (referred to below as “Covered Entities”) continue to include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.

This Resource Center is designed to help explain how to comply with the Cybersecurity Regulation. Among other things, it provides links to industry guidance, FAQs and provides detailed information on how to submit cybersecurity-related filings, including notifications to DFS regarding compliance, cybersecurity incidents, and exemption status.

This Resource Center is frequently updated, and you may sign up for email updates on important regulatory guidance, cybersecurity alerts, and other information related to cybersecurity in the financial services sector by going to the DFS Email Updates Signup Page and subscribing to Cybersecurity Updates. These emails will come from the email address [email protected].

Questions regarding the Cybersecurity Regulation may be sent to [email protected].

Amended Cybersecurity Regulation

On November 1, 2023, DFS announced amendments to Cybersecurity Regulation, 23 NYCRR Part 500. (See the final adopted regulatory documents on the Regulatory Activity - Financial Services Law page.)

Training and Compliance Resources

To help regulated entities plan for compliance, the Department has developed the following Part 500 resources:

Additional videos, resources, and training opportunities will be posted to this section of the Cybersecurity Resource Center.

Key Compliance Dates

The amended regulation’s new compliance requirements will take effect in phases. Unless otherwise specified, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024. Changes to reporting requirements take effect one month after publication of the amended regulation, or December 1, 2023. For certain other requirements, the regulation provides for up to one year, 18 months, or two years to come into compliance.

The below Cybersecurity Implementation Timelines outline key compliances dates for each of the categories of businesses impacted by the amended regulation:

Industry Guidance

Recent Updates (past 6 months)

SubjectDate
Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People’s Republic of Korea2024-11-01
Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks (related press release)2024-10-16
Cybersecurity Threat Alert – Social Engineering of Institutions’ IT Help Desk Personnel2024-09-27
Notice Regarding Crowdstrike Global Outage2024-07-19
Resource to Assist Small Businesses with Development of Cybersecurity Program, Pursuant to DFS Cybersecurity Regulation2024-05-13

Industry Letters

SubjectDate
Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People’s Republic of Korea2024-11-01
Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks2024-10-16
Cybersecurity Threat Alert – Social Engineering of Institutions’ IT Help Desk Personnel2024-09-27
Resource to Assist Small Businesses with Development of Cybersecurity Program, Pursuant to DFS Cybersecurity Regulation2024-05-13
Guidance on the Escalating Situation in Ukraine and Impact to the Financial Sector2022-02-25
Guidance on Multi-Factor Authentication2021-12-07
Guidance Regarding the Adoption of an Affiliate’s Cybersecurity Program2021-10-22
Guidance on Ransomware Prevention (related press release)2021-06-30
Cyber Insurance Risk Framework (related press release)2021-02-04
Guidance Regarding Cybersecurity Awareness During COVID-19 Pandemic2020-04-13
Letter Regarding DFS Cybersecurity Regulation – First Two Years and Next Steps2018-12-21
Letter Recommending FS-ISAC Participation for all NYS-Chartered Depository Institutions2014-02-06

Alerts

SubjectDate
Cybersecurity Advisory – Threats Posed by Remote Technology Workers with Ties to Democratic People’s Republic of Korea2024-11-01
Cybersecurity Threat Alert – Social Engineering of Institutions’ IT Help Desk Personnel2024-09-27
Notice Regarding Crowdstrike Global Outage2024-07-19
Cybersecurity Alert – Self-Service Password Reset2024-01-12
First American Financial & Email Vigilance (sent to CISOs of community and regional banks, credit unions and mortgage-related entities)2023-12-27
Cybersecurity Threat Alert - Citrix Bleed Vulnerability2023-11-14
MOVEit Transfer Vulnerability2023-06-02
Log4j Vulnerability2021-12-17
Alert Regarding Pulse Connect Secure Critical Vulnerability2021-04-26
Cyber Fraud Alert Follow-Up: New York Insurance Identification (ID) Card Barcode Vulnerability2021-04-19
Cyber Fraud Alert Regarding Prefilled Nonpublic Information2021-03-30
Cyber Fraud Alert Regarding the Exploitation of Four Vulnerabilities in Microsoft Exchange Server2021-03-09
Cyber Fraud Alert Regarding Instant Quote Websites (related press release)2021-02-16
Cyber Alert Regarding the SolarWinds Supply Chain Compromise2020-12-18

Cybersecurity-Related Reports and Publications

SubjectDate
Report on the SolarWinds Cyber Espionage Attack and Institutions’ Response (related press release)April 2021
Twitter Investigation Report (related press release)October 2020
Update on Cybersecurity in the Banking Sector: Third Party Service ProvidersApril 2015
Report on Cybersecurity in the Insurance SectorFebruary 2015
Report on Cybersecurity in the Banking SectorMay 2014

Cybersecurity-Related Settlements

SubjectDate
Consent Order to Genesis Global Trading, Inc (related press release)2024-01-11
Consent Order to First American Title Insurance Company2023-11-27
Consent Order to SA Stone Wealth Management Inc.2023-07-07
Consent Order to OneMain Financial Group LLC (related press release)2023-05-24
Consent Order to bitFlyer USA, Inc.2023-05-01
Consent Order to BitPay, Inc.2023-03-16
Consent Order to Coinbase, Inc. (related press release)2023-01-04
Consent Order to TTEC Healthcare Solutions, Inc.2022-12-02
Consent Order to EyeMed Vision Care LLC (related press release)2022-10-18
Consent Order to Robinhood Crypto, LLC (related press release)2022-08-02

Consent Order to Carnival Corporation d/b/a Carnival Cruise Line; Princess Cruise Lines, Ltd; Holland America Line NV; Seabourn Cruise Line, Ltd; and Costa Cruise Lines, Inc. (related press release)

2022-06-24
Consent Order to LifeMark Securities Corp.2021-09-20
Consent Order to First Unum Life Insurance Company and The Paul Revere Life Insurance Company(related press release)2021-05-13
Consent Order to National Securities Corporation (related press release)2021-04-12
Consent Order to Residential Mortgage Services, Inc. (related press release)2021-03-03

See all DFS Enforcement Actions

FAQs

Answers to frequently asked questions concerning the Cybersecurity Regulation are below. Capitalized terms used below have the meanings assigned to them in the definition section of Part 500. “Section” references are to sections of the Cybersecurity Regulation unless otherwise stated. The Department may revise or update the below information from time to time, as appropriate.

500.1 Definitions

(d) Class A Company

1. Under what circumstances does an Affiliate of a Class A Company with business operations in NY have to comply with DFS’s Cybersecurity Regulation?
+

An Affiliate of a Class A Company with business operations in NY only has to comply with DFS’s Cybersecurity Regulation if it is a Covered Entity. In other words, affiliates of Class A Companies must comply with relevant sections of Part 500 only if the entity operates under or is required to operate under a “license, registration, charter, certificate, permit, accreditation or similar authorization” pursuant to New York’s Banking, Insurance, or Financial Services Law.  23 NYCRR § 500.1(e) (defining Covered Entity).

(e) Covered Entities

2. Are health maintenance organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities under Part 500?
+

Yes. Both HMOs and CCRCs are Covered Entities. Pursuant to the Public Health Law, HMOs must receive authorization and prior approval of the forms they use and the rates they charge for comprehensive health insurance in New York. The Public Health Law subjects HMOs to DFS authority by making provisions of the Insurance Law applicable to them. CCRCs are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by DFS. The Public Health Law also subjects HMOs and CCRCs to the examination authority of the Department. As this authorization is fundamental to the ability to conduct their businesses, HMOs and CCRCs are Covered Entities because they are "operating under or required to operate under" DFS authorizations pursuant to the Insurance Law, and whether or not they are regulated by another governmental entity is irrelevant to this determination.

3. Are Exempt Mortgage Loan Servicers Covered Entities under Part 500?
+

Under N.Y. Banking Law § 590(2)(b-1), an Exempt Mortgage Loan Servicer needs to notify DFS that it will act as a servicer. Since the notification is not an authorization from the Department, an exempt Mortgage Loan Servicer is not a Covered Entity under 500.1(e). However, if an Exempt Mortgage Loan Servicer also holds a license, registration, or received approval under the provisions of § 418.2(e) of Part 418 of the Superintendent’s Regulations, it will be considered a Covered Entity and required to comply with the Cybersecurity Regulation. Given the increasing cybersecurity risks that all financial services organizations face, DFS strongly encourages all financial institutions, including those Exempt Mortgage Loan Servicers that are not Covered Entities, to adopt cybersecurity protections consistent with those required by Part 500. 

4. Are not-for-profit Mortgage Brokers Covered Entities under Part 500?
+

Yes. Not-for-profit mortgage brokers are Covered Entities. 3 NYCRR Part 39.4(e) provides that Mortgage Brokers "which seek exemption may submit a letter application,” along “with such information as may be prescribed by” the Superintendent, to the Mortgage Banking unit of the Department at the address set forth in section 1.1 of Supervisory Policy G 1. As this authorization is necessary for a not-for-profit Mortgage Broker, it is a Covered Entity under Part 500.

5. Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with Part 500?
+

Yes, they are considered Covered Entities and, as such, must comply with Part 500. Only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office, are subject to the applicable requirements of Part 500, whether through the branch's, agency's, or representative office's development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.

500.2 Cybersecurity Program

6. May a Covered Entity adopt portions of an Affiliate's cybersecurity program without adopting all of it?
+

A Covered Entity may adopt an Affiliate's cybersecurity program in whole or in part as provided for in Section 500.2(d), as long as the Covered Entity's overall cybersecurity program meets all requirements of Part 500. The Covered Entity remains responsible for full compliance with the requirements of Part 500. To the extent a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department.

500.4 Cybersecurity Governance

7. To the extent a Covered Entity uses an employee of an Affiliate or Third-Party Service Provider as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of Section 500.4(a)?
+

To the extent a Covered Entity utilizes an employee of an Affiliate or Third-Party Service Provider to serve as the Covered Entity's CISO for purposes of Section 500.4(a), the Covered Entity retains full responsibility for compliance with the requirements of Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part.

8. Under Section 500.4(b), can the requirement that the CISO report in writing at least annually to the Covered Entity's Senior Governing Body be met by reporting to an authorized subcommittee of the board?
+

Yes. The Senior Governing Body is defined in 500.1(q) and includes an appropriate committee of the board of directors.

500.5 Vulnerability Management

9. What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.5?*
+

Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of Section 500.5.

*Changes to 500.5 will be effective as of April 29, 2024. At that point, the requirement regarding continuous monitoring will no longer appear in Section 500.5 and this FAQ will be removed.

500.9 Risk Assessment

10. Should Covered Entities use a cybersecurity assessment framework as part of their Risk Assessment process?
+

The Risk Assessment required by Sections 500.9 & 500.2(b) is the foundation of the comprehensive cybersecurity program required by DFS’s Cybersecurity Regulation, and a cyber assessment framework is a useful component of a comprehensive Risk Assessment. DFS does not require a specific standard or framework for use in the risk assessment process. Rather, DFS expects Covered Entities to use a framework and methodology that best suits their risk and operations. Among the widely used frameworks Covered Entities employ are the CRI Profile and the NIST Cybersecurity Framework.

11. Do Covered Entities have any obligations when acquiring or merging with a new company?
+

Yes. Section 500.9(a) states that Risk Assessments “shall be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the Covered Entity’s cyber risk.” Furthermore, Section 500.8(b) states that the institution’s application security “procedures, guidelines and standards shall be reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity at least annually.” Accordingly, when a Covered Entity is acquiring or merging with a new company, the Covered Entity will need to do a factual analysis of how the requirements of Part 500 apply to that particular acquisition. Some important considerations include, but are not limited to, the type of business the acquired company engages in, the target company’s cybersecurity risks including its access to Nonpublic Information, the safety and soundness of the Covered Entity, and the integration of data systems. The Department emphasizes that Covered Entities must conduct thorough due diligence and prioritize cybersecurity when considering any new acquisitions.

12. How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other Affiliates?
+

When a subsidiary or other Affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies (see Sections 500.9, 500.2 and 500.3, respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances.

13. How must a Covered Entity address cybersecurity issues with respect to a bank holding company (“BHC”)?
+

Under Part 500, the Covered Entity is responsible for compliance with respect to its Information Systems. Therefore, the Covered Entity must evaluate and address any risks that a BHC (or other Affiliate of the Covered Entity) presents to the Covered Entity’s Information Systems and/or Nonpublic Information. For example, if a Covered Entity shares its data, including Nonpublic Information, and Information Systems with a BHC, the Covered Entity must ensure that such shared data and systems are protected. Specifically, the Covered Entity must evaluate and address in its Risk Assessment, cybersecurity program and cybersecurity policies the risks that the BHC poses with respect to such shared Information Systems and/or Nonpublic Information. In the same manner, a Covered Entity must also evaluate and address other cybersecurity risks that a BHC may pose to it. A Covered Entity will ultimately be held responsible for protecting its Information Systems and Nonpublic Information that are shared with a BHC or that otherwise may be subjected to risk by a BHC. Other regulatory requirements may also apply, depending on the individual facts and circumstances.

14. What types of change in business or technology would cause a material change to a Covered Entity’s cyber risk such that it would require that entity to review and update its Risk Assessment?
+

Part 500 covers a broad range of Covered Entities that vary in size, type of business, and scope of operations, among other things. Since the Cybersecurity Regulation takes a risk-based approach, what constitutes a “material change” to a Covered Entity’s cyber risk that requires reviewing and updating their Risk Assessment will vary depending on the specific circumstances of the Covered Entity. When making this determination, Covered Entities should consider various factors, including but not limited to, the industry in which they operate, their size, the type and amount of data they maintain or can access, and the size and nature of potential impact to its cybersecurity risk created by the change in business or technology.

For example, merging with or acquiring another company very likely constitutes a material change that would require reviewing and potentially updating a Covered Entity’s Risk Assessment. Similarly, a plan to migrate or outsource key business processes or other key workloads or data to a third-party service provider will very likely constitute a material change that would require a review and potential update of the Covered Entity’s Risk Assessment.

500.11 Third-Party Service Provider Security Policy

15. If Covered Entity A utilizes Covered Entity B (not related to Covered Entity A) as a Third-Party Service Provider, and Covered Entity B provides Covered Entity A with evidence of its Certification of Compliance with the Cybersecurity Regulation, could that be considered adequate due diligence under the due diligence process required by Section 500.11(a)(3)?
+

No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third-Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third-Party Service Provider poses to their Nonpublic Information and Information Systems and effectively address those risks.

16. Are all Third-Party Service Providers required to implement Multi-Factor Authentication and encryption when dealing with a Covered Entity?
+

Section 500.11, among other things, generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers. Section 500.11(b) requires a Covered Entity to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, Section 500.11(b) requires Covered Entities to make a Risk Assessment regarding the appropriate controls for Third-Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.

17. Can an entity be both a Covered Entity and a Third-Party Service Provider under Part 500?
+

Yes. If an entity is both a Covered Entity and a Third-Party Service Provider, the entity is responsible for meeting the requirements of Part 500 as a Covered Entity.

18. How must a Covered Entity address cybersecurity issues with respect to Utilization Review (“UR”) agents?
+

When a Covered Entity is using an independent UR agent, that Covered Entity should be treating them as Third-Party Service Providers (“TPSP”). Since UR agents will be receiving Nonpublic Information from that Covered Entity, that Covered Entity must assess the risks each TPSP poses to their data and Information Systems and effectively address those risks. The Covered Entity will ultimately be responsible for ensuring that their data and systems are protected.

500.12 Multi-Factor Authentication

19. When does a Covered Entity have to use MFA?
+

Based on its Risk Assessment, each Covered Entity must use effective controls, which may include MFA or risk-based authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. MFA must be used for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

Starting on November 1, 2025, a Covered Entity will be required to use MFA for any individual accessing any Information Systems of the Covered Entity, regardless of location, type of user, and type of information contained on the information system being accessed, unless the Covered Entity has a CISO that approves in writing the use of reasonably equivalent or more secure compensating controls (and reviews this determination periodically but at a minimum annually), or the Covered Entity qualifies for a limited exemption pursuant to Section 500.19(a), in which case MFA shall only be required for (1) remote access to the Covered Entity’s Information Systems, (2) remote access to third-party applications, including but not limited to those that are cloud based, from which Nonpublic Information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive login. If a Covered Entity that is exempt under Section 500.19(a) also has a CISO, the CISO may also grant the exception described above.

20. Are cloud-based email, document hosting, and related services part of a Covered Entity’s internal networks which would require the use of Multi-Factor Authentication (“MFA”) pursuant to 23 NYCRR § 500.12(b)?
+

Yes. Under Section 500.12(b), MFA is required when accessing internal networks from an external network unless the Covered Entity’s Chief Information Security Officer has approved in writing the use of reasonably equivalent or more secure access controls. Internal networks include email, document hosting, and related services whether on-premises or in the cloud such as, for example, O365 and G-Suite. These services contain Nonpublic Information that Covered Entities are required to protect.

500.17 Notices to Superintendent

500.17(a): Cybersecurity Incidents

21. When is a Covered Entity required to report a Cybersecurity Incident under Section 500.17(a)?
+

Section 500.17(a) requires Covered Entities to notify DFS as promptly as possible but in no event later than 72 hours after determining that a Cybersecurity Incident has occurred at the Covered Entity, its Affiliates, or a Third-Party Service Provider. 
A Cybersecurity Incident is a Cybersecurity Event that (1) impacts the Covered Entity and requires the Covered Entity to notify any government body, self-regulatory agency or any other supervisory body; (2) has a reasonable likelihood of materially harming any material part of the normal operation(s) if the Covered Entity; or (3) results in the deployment of ransomware within a material part of the Covered Entity’s information system. (Section 500.1(g)) A Cybersecurity Event is any act or attempt, whether successful or not, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system. (Section 500.1(d))

22. When does a Covered Entity have to notify DFS of an unsuccessful attack?
+

An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful. The Department recognizes that Covered Entities are regularly subject to many attempts to gain unauthorized access to, disrupt or misuse Information Systems and the information stored on them, and that many of these attempts are thwarted by the Covered Entities’ cybersecurity programs. The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under Section 500.17(a) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.

The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cybersecurity programs, and Covered Entities are encouraged to continually develop their threat assessment programs. Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cybersecurity generally across the industries regulated by the Department. Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.

The Department recognizes that Covered Entities’ focus should be on preventing cybersecurity attacks and improving systems to protect the institution and its customers. The Department’s notice requirement is intended to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries. The Department trusts that Covered Entities will exercise appropriate judgment as to which unsuccessful attacks must be reported and does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.

23. Under Section 500.17(a), is a Covered Entity required to give notice to the Department when a Cybersecurity Event involves harm to consumers?
+

Yes. Section 500.17(a) must be read in combination with other laws and regulations that apply to consumer privacy. Under Section 500.17(a)(1), a Covered Entity must notify the Department of any Cybersecurity Event for which notice is required to be provided to “any government body, self-regulatory agency or any other supervisory body,” which includes many Cybersecurity Events that involve consumer harm, whether actual or potential. To offer just one example, New York’s information security breach and notification law requires notices to affected consumers and to certain government bodies following a data breach. Under Section 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to the Department.
In addition, under Section 500.17(a), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s)” of the Covered Entity.  To the extent this type of Cybersecurity Event involves material consumer harm, it is covered by this provision.

24. When there is a Cybersecurity Event at a Third-Party Service Provider that affects a Covered Entity, is that Covered Entity required to notify DFS even if the Third-Party Service Provider notifies DFS on the Covered Entity’s behalf?
+

Yes. Section 500.17(a) requires a Covered Entity that has been impacted by a Cybersecurity Event that occurred at one of its Third-Party Service Providers to notify DFS if the Covered Entity is also required to notify any government body, self-regulatory agency, or any other supervisory body. This is required of the Covered Entity even if the Third-Party Service Provider also notifies DFS. Reporting Cybersecurity Events such as these enables the Department to more rapidly identify techniques used by attackers and alert industry, respond quickly to new threats, and continue to protect consumers and the financial services industry.

25. Is a Covered Entity required to give notice to consumers affected by a Cybersecurity Event?
+

New York’s information security breach and notification law (also known as the SHIELD ACT, General Business Law Section 899-aa), requires notice to consumers who have been affected by Cybersecurity Incidents. Further, under Part 500, a Covered Entity’s cybersecurity program and policy must address, to the extent applicable, consumer data privacy and other consumer protection issues. Additionally, Part 500 requires that Covered Entities address as part of their incident response plans external communications in the aftermath of a breach, which includes communication with affected customers. Thus, a Covered Entity’s cybersecurity program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of Part 500.

500.17(b): Notice of Compliance

500.17(b)(1): Annual Submission of Certification of Material Compliance or Acknowledgment of Noncompliance

26. May the required annual notification regarding compliance in Section 500.17(b) be submitted by an Affiliate?
+

No. Each Covered Entity is required to notify DFS of its own compliance with Part 500 annually.

27. May a Covered Entity submit a certification under Section 500.17(b) if it is not yet in compliance with all applicable requirements of Part 500?
+

A Covered Entity may not submit a certification under Section 500.17(b) unless the Covered Entity was in material compliance with all applicable requirements of Part 500 for the calendar year for which it is certifying. Staring with notifications due by April 15, 2024, a Covered Entity that was not in material compliance with the Cybersecurity Regulation for the preceding calendar year must file an Acknowledgment of Noncompliance pursuant to Section 500.17(b)(1)(ii).

28. If a Covered Entity filed a Notice of Exemption from the Cybersecurity Regulation, does the Covered Entity need to file a Certification of Material Compliance or Acknowledgment of Noncompliance?
+

It depends on the exemption for which the Covered Entity qualifies. If it qualifies for a full exemption pursuant to Section 500.19(b), (e), or (g), and submitted a Notice of Exemption, the Covered Entity does not need to submit an annual notification regarding its compliance. If, however, the Covered Entity qualifies for a limited exemption and filed a Notice of Exemption pursuant to Sections 500.19(a), (c) or (d), it does need to submit an annual notification regarding its compliance.

If the Covered Entity filed a Notice of Exemption under sections 500.19(a), (c) or (d), it is still required to file an annual notification regarding its compliance with the sections of the Cybersecurity Regulation that apply to it as specified in the regulation. Consequently, if a Covered Entity filed for an exemption under subsection (a) of Section 500.19, it is still required to: maintain a cybersecurity program as required in Section 500.2; maintain a cybersecurity policy as required in Section 500.3; limit access privileges as required in Section 500.7; conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to DFS as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

Additionally, starting in November 2024, Covered Entities qualifying for a Section 500.19(a) exemption will also be required to comply with the Multi-Factor Authentication requirements in Section 500.12 and provide cybersecurity awareness training pursuant to Section 500.14(a)(3).

If you filed for an exemption under subsections (c) or (d) of Section 500.19, you are still required to: conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to the Superintendent as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

29. Do Covered Entities need to submit annual notifications regarding their compliance for each DFS license they maintain?
+

Covered Entities that have more than one license should submit separate annual notifications of compliance for each license. This includes licenses for entities and licenses for individuals.

30. Are non-resident Covered Entities required to submit annual notifications regarding their compliance?
+

All Covered Entities, including non-residents, are required to submit notifications of their compliance unless they qualify for a full exemption pursuant to Section 500.19(b), (e), or (f) and have filed a Notice of Exemption.

31. If an individual is licensed by DFS but not currently working in the field, do they need to submit an annual notification regarding their compliance (i.e., a Certification of Material Compliance or an Acknowledgment of Noncompliance)?
+

The following inactive licensees who do not otherwise qualify as a Covered Entity (for example, who do not hold another type of license) are exempt from the annual requirement to notify DFS regarding their compliance:

  • inactive individual insurance brokers (subject to Insurance Law section 2104) who (a) do not maintain, control or use, even indirectly, any Information Systems and do not have any Nonpublic Information, and (b) have not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year;
  • individual insurance agents placed in inactive status under Insurance Law §2103; and
  • individual mortgage loan originators placed in inactive status under Banking Law §599-i.

If none of the above apply to your situation, then as long as you are licensed by DFS, you need to comply with the Cybersecurity Regulation. However, you may qualify for the limited exemption pursuant to Section 500.19(c) which applies to any regulated entity or licensed Person that does not maintain any Information Systems and does not possess any Nonpublic Information, including information concerning former or potential customers. Even if you do qualify, Section 500.19(c) is a limited exemption that still requires compliance with certain provisions of the regulation (see table below), including the requirement to submit an annual Certification of Material Compliance or an Acknowledgment of Noncompliance.

32. How does a Covered Entity decide whether it needs to file a Certification of Material Compliance or an Acknowledgement of Noncompliance? How significant does the noncompliance need to be to require the submission of an Acknowledgement of Noncompliance instead of a Certification of Material Compliance?
+

A Covered Entity must determine whether any noncompliance with the Cybersecurity Regulation was significant in the overall context of the Covered Entity’s circumstances. When making that determination, Covered Entities should consider various factors, including but not limited to, the industry in which they operate, their size, the type and amount of data they maintain or can access, and the nature, duration, scope, and potential impact of the noncompliance. 

One example of material noncompliance that would require a Covered Entity to file an Acknowledgment of Noncompliance is the failure to conduct a cybersecurity Risk Assessment since its Cybersecurity Program must be based on such a Risk Assessment. See Section 500.2(b). Another example of material noncompliance is the failure of a Covered Entity to implement procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by, third-party service providers, especially in light of the significant cybersecurity risks associated with third-party service providers. 

On the other hand, a single event involving an inadvertent lapse in the operation of the Cybersecurity Program of short duration and with no or minimal impact is not likely to be considered an instance of material noncompliance that would require the filing of an Acknowledgement of Noncompliance. However, several immaterial violations, when considered in the aggregate, might constitute a material violation, necessitating an Acknowledgment of Noncompliance be filed instead of a Certification of Material Compliance. 

No matter which notification of compliance is filed, Covered Entities must maintain all relevant records, schedules, and other documentation and data supporting their determinations including documentation regarding the reasons why such decisions were made. See § 500.17(b)(3).

500.17(b)(2): Signatories

33. If I am an individual with no Board of Directors, who should sign my annual notification of compliance that is required by Section 500.17(b)?
+

For an individual with no Board of Directors, the annual notification of compliance that is required by Section 500.17(b) must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity.

34. If a Covered Entity has a part time or outsourced CISO, who should sign the Certification of Material Compliance or Acknowledgment of Noncompliance (the “Annual Notice of Compliance)?
+

The Annual Notice of Compliance must be signed by the highest-ranking executive at a Covered Entity and that Covered Entity’s CISO. The term CISO is defined in § 500.1(c) as “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.” Part time or outsourced CISOs may sign the Annual Notice of Compliance provided that they meet these standards.

Often, part time and outsourced CISOs provide services that are based on contracts that limit the scope of their duties and responsibilities. If a Covered Entity uses a part time or outsourced CISO, the Covered Entity itself is responsible for its compliance with the Cybersecurity Regulation and is required to designate a senior member of its personnel to oversee a part time or outsourced CISO.

If a Covered Entity does not have its own CISO as defined in § 500.1(c), then the senior officer responsible for the cybersecurity program of the Covered Entity must sign the Annual Notice of Compliance along with the CEO or highest-ranking executive of the Covered Entity.”

35. Can somebody who doesn’t have the precise title “CISO” sign as CISO?
+

All Covered Entities that do not qualify for an exemption are required to designate a CISO pursuant to § 500.4(a). A CISO is defined in §500.1(c) as “a qualified individual responsible for overseeing and implementing a covered entity’s cybersecurity program and enforcing its cybersecurity policy.”

If the Covered Entity designates an individual that is qualified, and responsible for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy, then that individual should sign the Annual Notice of Compliance as the CISO.

500.17(b)(3): Documentation

36. Should a Covered Entity send supporting documentation along with the annual submission regarding its compliance?
+

You do not need to send supporting documentation if you are submitting a Certification of Material Compliance. If you are submitting an Acknowledgment of Noncompliance, you must identify all sections of the Cybersecurity Regulation you did not materially comply with, describe the nature and extent of such noncompliance, and provide a remediation timeline or confirmation that remediation has been completed. No additional explanatory or other materials are required as part of these submissions.
The Cybersecurity Regulation does require, however, that Covered Entities maintain records, schedules, and data that support their annual notification – whether a certification or an acknowledgment -- for 5 years and provide such information to the Department upon request. The information you must keep includes, but is not limited to, the identification of all areas, systems, and processes that require or required material improvement, updating or redesign, remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.

 

500.19 Exemptions

37. What is the difference between an employee and an independent contractor for purposes of section 500.19(a)?
+

Whether an individual who performs services for a Covered Entity is an independent contractor or an employee for purposes of section 500.19(a) depends upon many factors including how much control the Covered Entity has over the individual, whether the services provided are integral to the Covered Entity’s business operations, and whether the Covered Entity sets the individual’s work hours, requires prior permission for absences, reserves the right to terminate the individual on short notice, provides benefits, compensates the individual hourly or the same amount each week, and provides equipment, facilities, tools or supplies. The ultimate decision rests upon the actual relationship between the individual and the Covered Entity and not how many hours a week the individual works, or language in a contract, if one exists, between the Covered Entity and the individual. 
 

In general, independent contractors are in business for themselves, make their services available to the public, and perform services without supervision or direction from the Covered Entity. Alternatively, employees typically are subject to a Covered Entity’s supervision and direction, work at the Covered Entity’s offices and use the Covered Entity’s computers, supplies and other tools, and are paid a salary.

38. When does the limited exemption in Section 500.19(a)(1) for Covered Entities with “fewer than 20 employees and independent contractors” of the Covered Entity and its Affiliates apply?
+

Under Section 500.19(a)(1), which is also referred to as the Small Business Exemption, smaller Covered Entities are exempted from certain enumerated requirements of Part 500 when a Covered Entity and all of its Affiliates combined have a total of fewer than 20 employees and independent contractors. When determining whether a Covered Entity and its Affiliates have fewer than 20 employees and independent contractors, all of the Covered Entity’s employees and independent contractors and all of the Covered Entity’s Affiliate’s employees and independent contractors must be counted regardless of where any of the employees and independent contractors are located.   

Note that Affiliate is defined very broadly in Section 500.1 as any individual or entity, including but not limited to any partnership, corporation, branch, agency or association, that controls, is controlled by, or is under common control with any other individual or entity, including but not limited to any partnership, corporation, branch, agency or association. For purposes of this definition, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.

39. If a Covered Entity qualifies for a limited exemption, does it need to comply with the Cybersecurity Regulation?
+

Yes, but a Covered Entity that qualifies for a limited exemption does not have to comply with every section of the Cybersecurity Regulation. Covered Entities that qualify for the limited exemption in Section 500.19(a) do not have to comply with Sections 500.4, 500.5, 500.6, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16; those that qualify for a limited exemption in Section 500.19(c) do not have to comply with Sections 500.2, 500.3, 500.4, 500.5, 500.6, 500.7, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16; and those that qualify for the limited exemption in Section 500.19(d) do not have to comply with Sections 500.2, 500.3, 500.4, 500.5, 500.6, 500.7, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16.  Notably, all of the limited exemptions require qualifying Covered Entities to submit an annual notification regarding their compliance with Part 500, but they only need to notify DFS about their compliance with the sections applicable to them based on their exemption.

Please note that, as of November 1, 2024, Covered Entities qualifying for the exemption in 500.19(a) will not be exempt from Sections 500.12 and 500.14(a)(3).  That means these Covered Entities will have to comply by November 1, 2024 with the MFA requirements in Section 500.12 and the cybersecurity awareness training requirements in Section 500.14(a)(3)

40. If a Covered Entity has a limited exemption, what sections of the regulation does it still need to comply with?
+

If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must comply with some sections of the Cybersecurity Regulation as listed in the tables below.

This table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(a) exemption.

If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must comply with some sections of the Cybersecurity Regulation as listed in the tables below.

This table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(a) exemption.

Exemptions:Compliance Requirements:
500.4
Cybersecurity governance
500.2
Cybersecurity program
500.5
Vulnerability management
500.3
Cybersecurity policy
500.6
Audit trail
500.7
Access privileges and management
500.8
Application security
500.9
Risk assessment
500.10
Cybersecurity personnel and intelligence
500.11
Third-party service provider security policy
500.14(a)(1)
Monitor user activity
500.12
Multi-factor authentication
(as of November 1, 2024)
500.14(a)(2)
Implement risk-based controls to protect against malicious code
500.13
Data retention requirements
(as of November 1, 2025 this will also include asset management requirements)
500.14(b)
Monitoring and training – for Class A companies
500.14(a)(3)
Provide cybersecurity awareness training 
(as of November 1, 2024)
500.15
Encryption of nonpublic information
500.17
Notices to superintendent
500.16
Incident response and business continuity management
 

This table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(c) or (d) exemption.

Exemptions:Compliance Requirements:
500.2
Cybersecurity program
500.9
Risk assessment
500.3
Cybersecurity policy
500.11
Third-party service provider security policy
500.4
Cybersecurity governance
500.13
Access management and data retention requirements
(as of November 1, 2025 this will also include asset management requirements)
500.5
Vulnerability management
500.17
Notices to superintendent
500.6
Audit trail
 
500.7
Access privileges and management
 
500.8
Application security
 
500.10
Cybersecurity personnel and intelligence
 
500.12
Multi-factor authentication
 
500.14
Monitoring and training
 
500.15
Encryption of nonpublic information
 
500.16
Incident response and business continuity management
 
41. When calculating gross annual revenue for purposes of Section 500.19(a)(2), does a Covered Entity have to include the gross annual revenue from all of its business operations or only from business operations that are located in New York?
+

When calculating gross annual revenue for purposes of determining whether a Covered Entity qualifies for an exemption under §500.19(a)(2), the Covered Entity must include (1) the gross annual revenue from all of its business operations regardless of whether such operations are located in NY or anywhere else in the world and (2) the gross annual revenue from the New York business operations of their Affiliates. If an Affiliate does not have any gross annual revenue from business operations in New York, its gross annual revenue does not need to be included in the calculation for purposes of qualifying for a §500.19(a)(2) limited exemption. The limited exemption set forth in §500.19(a) is, and always has been, meant for small businesses, not for small branches or affiliates of large companies.

“Affiliate” is a term defined in the Cybersecurity Regulation as “any Person that controls, is controlled by or is under common control with another Person”, and “control” means “the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.” The Cybersecurity Regulation defines “Person” as “any individual or entity, including but not limited to any partnership, corporation, branch, agency or association.”

42. Is a Covered Entity entitled to an exemption under Section 500.19(b) if that Covered Entity is an employee, agent, representative or designee of more than one other Covered Entity?
+

A Covered Entity is entitled to a Section 500.19(b) exemption in such cases only if it is an employee, agent, representative, or designee that is fully covered by the cybersecurity program of one of the Covered Entities for which it is an employee, agent, representative or designee. In other words, if a Covered Entity is an employee, agent, representative or designee of more than one other Covered Entity, it will only qualify for a Section 500.19(b) exemption if the cybersecurity program of at least one of those Covered Entities fully covers all aspects of its business.

When submitting the notice for a Section 19(b) exemption, a Covered Entity must provide the name of the Covered Entity whose cybersecurity program its business is covered by, along with the name of an individual at that Covered Entity who can verify the coverage.

43. What constitutes a “wholly owned subsidiary” for purposes of qualifying for the exemption in 23 NYCRR 500.19(b)?
+

To qualify as a wholly owned subsidiary that is fully exempt from the requirements of Part 500 pursuant to Section 500.19(b), a Covered Entity must be (1) either directly or indirectly 100 percent owned by another Covered Entity and (2) covered by, and follow, the cybersecurity program of the parent Covered Entity. 

Covered Entities that have determined they qualify for an exemption should submit a Notice of Exemption within 30 days of making that determination. Notices of Exemption must be submitted through the DFS Portal. Instructions on How to File a Notice of Exemption can be found in the “Part 500 Exemptions” section of this website. 

44. Does a Covered Entity that qualifies for an exemption under Section 500.19(b) need to file a Notice of Exemption?
+

Yes. Section 500.19 subsections (a) through (e) set forth exemptions from different requirements of Part 500. Section 500.19(f) requires Covered Entities that qualify for any of those exemptions to submit a Notice of Exemption within 30 days of determining that it so qualifies.

45. Does a Covered Entity need to amend its Notice of Exemption in the event of changes after the initial submission (e.g., name changes or changes to the applicable exemption(s))?
+

Yes. If there are changes, the Covered Entity should amend its Notice of Exemption in the DFS Portal, where there is an option to choose “amend exemption.”

The Department also emphasizes that Notices of Exemption should be filed electronically via the DFS Portal. A Covered Entity should use the account it used to file its original Notice of Exemption or, if the Covered Entity’s exemption was submitted as part of a bulk filing, create a new account to amend its exemption.

46. If a Covered Entity ceases to qualify for an exemption under Section 500.19, how should the Covered Entity notify the Department?
+

If a Covered Entity ceases to qualify for a previously claimed exemption, the Covered Entity should, as soon as reasonably possible, notify the Department through the DFS Portal by terminating its previously filed exemption. Under Section 500.19(h), a Covered Entity has 180 days to comply with all applicable requirements of Part 500 once it ceases to qualify for an exemption.

47. Can a Covered Entity file a Notice of Exemption on behalf of its employees or agents?
+

By permission, the Department will approve the filing by certain Covered Entities of Notices of Exemption on behalf of their employees or captive agents who are also Covered Entities. This option, called “Bulk Filing,” will only be available if 50 or more employees or captive agents qualify for the same exemption.

A Covered Entity that wants to use the Bulk Filing process should go to the Cybersecurity-related Submissions section on this site to find information on how to do so.

Exceptions/Deferrals to other regulators

48. Can a common trust fund (“CTF”) that is administered by another Covered Entity rely on the cybersecurity program of that Covered Entity?
+

A CTF that is administered by another Covered Entity can rely on the cybersecurity program of that Covered Entity, as long as that cybersecurity program conforms with Part 500 and fully protects the CTF. Under these circumstances, the Covered Entity must submit a Certification of Compliance with the Department. If the CTF is administered by a national bank, then the Department will defer to that bank’s primary regulator to ensure that the CTF has a proper cybersecurity program. Further, to protect markets, the Department strongly encourages all financial entities, including CTFs administered by national banks, to adopt cybersecurity protections consistent with the safeguards and protections of Part 500.

49. Are the New York branches of out-of-state domestic banks required to comply with Part 500?
+

New York is a signatory to the Nationwide Cooperative Agreement, revised as of December 9, 1997 (the “Agreement”), an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Article V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches. In keeping with the Agreement’s goals of interstate coordination and cooperation with respect to the supervision and examination of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination. DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York. With respect to the Cybersecurity Regulation, given the ever-increasing cybersecurity risks financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cybersecurity protections consistent with the safeguards and protections of Part 500.

Part 500 Exemptions

Covered Entities may not have to comply with some or all of the Cybersecurity Regulation’s requirements if they qualify for an exemption. There are two types of exemptions: full and limited, both of which are in section 500.19. This section first explains what qualifies a Covered Entity for an exemption, then describes the cybersecurity requirements a Covered Entity must comply with if it qualifies for an exemption, and finally provides directions on how to submit notifications to the Department regarding a Covered Entity’s exempt status.

Qualifications for Full Exemptions

Three subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).

To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative, or designee of another DFS-regulated business and all aspects of the Covered Entity’s business must be fully covered by the Cybersecurity Program of the other DFS-regulated business.

To qualify for a 500.19(e) exemption, a Covered Entity must be an inactive individual insurance broker (subject to Insurance Law section 2104) who (1) does not maintain, control or use, even indirectly, any Information Systems and does not have any Nonpublic Information; (2) has not, for anything of value, acted or aided in any manner in soliciting, negotiating, or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year; and (3) does not otherwise qualify as a Covered Entity (for example, does not hold another type of license). For exact language, see 500.19(e).

To qualify for a 500.19(g) exemption, a Covered Entity must not otherwise qualify as a Covered Entity by virtue of another license and must be (1) a charitable annuity society, (2) a risk retention group not chartered in NY, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) an individual mortgage loan originator placed in inactive status under Banking Law §599-i, or (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. For exact language, see 500.19(g).

Qualifications for Limited Exemptions

Three subsections of section 500.19 provide for limited exemptions: 500.19(a), 500.19(c), and 500.19(d).

There are three ways a Covered Entity may qualify for a 500.19(a) limited exemption:

  1. A Covered Entity and its Affiliates combined must have fewer than 20 employees and independent contractors (500.19(a)(1));
  2. To qualify for a limited exemption under §500.19(a)(2), a Covered Entity must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from (1) all its business operations, wherever located, and (2) its affiliates’ New York business operations.
  3. A Covered Entity must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.

Affiliate, for purposes of the Cybersecurity Regulation and determining whether a Covered Entity qualifies for any of the 500.19(a) exemptions, is defined very broadly as “any person that controls, is controlled by, or is under common control with another person.”  Control here “means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.” (500.1(a))

To qualify for a 500.19(c) limited exemption, a Covered Entity must not directly or indirectly operate, maintain, utilize, or control any Information Systems, and must not be required to, directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information. 

To qualify for a 500.19(d) limited exemption, a Covered Entity must be a captive insurance company that does not and is not required to directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information other than information relating to its corporate parent company or affiliates.

Cybersecurity Requirements for Exempt Covered Entities

If a Covered Entity qualifies for a full exemption, it must submit a Notice of Exemption to DFS. As long as it remains qualified for a full exemption, it does not have to comply with any other section of the Cybersecurity Regulation.

If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must submit a Notice of Exemption, comply with some sections of the Cybersecurity Regulation (which sections depend on the type of limited exemption and are listed in the table below), and submit annually a notice regarding the Covered Entity’s compliance with Part 500.

The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(a) exemption.

Exemptions:Compliance Requirements:
500.4
Cybersecurity governance
500.2
Cybersecurity program
500.5
Vulnerability management
500.3
Cybersecurity policy
500.6
Audit trail
500.7
Access privileges and management
500.8
Application security
500.9
Risk assessment
500.10
Cybersecurity personnel and intelligence
500.11
Third-party service provider security policy
500.14(a)(1)
Monitor user activity
500.12
Multi-factor authentication
(as of November 1, 2024)
500.14(a)(2)
Implement risk-based controls to protect against malicious code
500.13
Data retention requirements
(as of November 1, 2025, this will also include asset management requirements)
500.14(b)
Monitoring and training – for Class A companies
500.14(a)(3)
Provide cybersecurity awareness training (as of November 1, 2024)
500.15
Encryption of nonpublic information
500.17
Notices to superintendent
500.16
Incident response and business continuity management
 

The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(c) or (d) exemption.

Exemptions:Compliance Requirements:
500.2
Cybersecurity program
500.9
Risk assessment
500.3
Cybersecurity policy
500.11
Third-party service provider security policy
500.4
Cybersecurity governance
500.13
Access management and data retention requirements
(as of November 1, 2025, this will also include asset management requirements)
500.5
Vulnerability management
500.17
Notices to superintendent
500.6
Audit trail
 
500.7
Access privileges and management
 
500.8
Application security
 
500.10
Cybersecurity personnel and intelligence
 
500.12
Multi-factor authentication
 
500.14
Monitoring and training
 
500.15
Encryption of nonpublic information
 
500.16
Incident response and business continuity management
 

Submitting Notice of Exemption Regarding Exempt Status

Covered Entities that have determined they qualify for an exemption should submit a Notice of Exemption within 30 days of making that determination. 500.19(f). Some Covered Entities qualify for more than one exemption, and they can indicate that on their Notice of Exemption.

Covered Entities must submit their Notices of Exemption through the DFS Portal. Detailed instructions for making this submission can be found in the Instructions on How to File a Notice of Exemption (PDF).

Amending a Filed Exemption

If a Covered Entity no longer qualifies for an exemption, it should amend or terminate its Notice of Exemption within 30 days. A Covered Entity should amend its Notice of Exemption when its qualifications for an exemption change, but it still qualifies for at least one exemption. Covered Entities must amend their Notices of Exemption through the DFS Portal. Detailed instructions for amending exemption status can be found in the Instructions on How to Amend Previously Filed Notices of Exemptions (PDF).

Terminating a Filed Exemption

A Covered Entity that no longer qualifies for any exemption must terminate their exemption as soon as reasonably possible after they no longer qualify. No matter when the termination is submitted, however, the Covered Entity has 180 days from the date they are no longer qualified to become fully compliant with the Cybersecurity Regulation.  Covered Entities must terminate their Notices of Exemption through the DFS Portal. Detailed instructions for notifying DFS that a Covered Entity no longer qualifies for an exemption can be found in the Instructions on How to Terminate Previously Filed Notices of Exemption (PDF).

Bulk Exemption Submissions

Covered Entities that employ 50 or more individual Covered Entities that qualify for the same exemption may file exemptions on behalf of those employees through the bulk submission process.

Covered Entities that qualify and would like access to use the bulk submission process should email the Department at [email protected] from the email address associated with their DFS Portal account, and the Department will send further instructions. The submitter will need to provide their name, DFS identification number, type of license, and email address for every Covered Entity on whose behalf they are submitting. The Covered Entity using the bulk submission process will be able to add and terminate exemptions as their employees’ employment and exemption status changes.

Covered Entities that have their Notice of Exemption filed as part of a bulk filing will receive an email from DFS confirming the filing. The email will include a receipt number and list the exemption(s) filed. Covered Entities must retain a copy of this receipt number for future reference as it will be the only receipt you will get from DFS regarding the submission.

Please note that Covered Entities are ultimately responsible for ensuring their compliance with Part 500. Therefore, a Covered Entity must ensure that either their employer or they notify the Department of any changes in status.

Submission Confirmation

After each submission is complete, the submitter will receive an email that includes a receipt number. The email receipt is the only confirmation of the submission that the submitter will receive. The receipt number is an important piece of information that should be kept by the Covered Entity. Covered Entities may need their receipt numbers to renew their licenses.

Submit a Compliance Filing

Cybersecurity Compliance Submission Notice: You will need a DFS Portal account to submit a cybersecurity filing via the DFS Portal – your LINX username and password will not work to access DFS Portal. If you are experiencing password login issues when trying to submit your annual cybersecurity filing, visit the Lost Passwords and Locked Accounts page on the DFS Portal and follow the instructions. The system is currently experiencing a high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your filing, please try again.

Starting in 2024, Covered Entities will continue to be required to submit an annual notice regarding their compliance with Part 500, but will have the choice of submitting either a Certification of Material Compliance or an Acknowledgment of Noncompliance. Section 500.17(b). All Covered Entities that are not exempt from the requirement to comply with 500.17 must file one or the other each year by April 15 regarding their compliance during the previous calendar year. Covered Entities that qualify for a limited exemption pursuant to 500.19(a), (c), or (d) are required to submit one of these annual notifications by April 15 as well, but they only have to certify compliance or acknowledge noncompliance with the sections from which they are not exempt.

Annual notifications regarding compliance for the calendar year 2023 are due by April 15, 2024. They must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity. Covered Entities may submit these notifications starting on January 1, 2024.

Covered Entities that have more than one license must file separate annual notifications for each license they hold. Covered Entities must keep all data and documentation supporting their annual notifications for 5 years and provide that information to the Department upon request. 500.17(b)(3).

Certification of Material Compliance

Covered Entities that were materially compliant with all sections of the Cybersecurity Regulation that applied to it during the previous calendar year must submit a Certification of Material Compliance. See instructions for how to submit a Certification of Material Compliance below.

Acknowledgment of Noncompliance

If a Covered Entity cannot certify that it was in material compliance with the Cybersecurity Regulation for the prior calendar year, it must file a written Acknowledgment of Noncompliance which (1) acknowledges that the Covered Entity did not materially comply with all the requirements applicable to it; (2) identifies all sections of Part 500 that the Covered Entity has not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. 500.17(b). To submit an acknowledgment, please go to the DFS Portal and follow the instructions below.

Note to NY LINX Users: You will need a DFS Portal account to submit cybersecurity filings via the DFS Portal, your LINX username and password will not work to access DFS Portal.

Report a Cybersecurity Incident

Covered Entities must notify the Department of a Cybersecurity Incident as promptly as possible but in no event later than 72 hours after determining that a Cybersecurity Incident has occurred at the covered entity, its affiliates, or a third-party service provider. 500.17(a).

A Cybersecurity Incident is any act or attempt, whether successful or not, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system that:

  • impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
  • has a reasonable likelihood of materially harming any material part of the normal operation(s) if the covered entity; or
  • results in the deployment of ransomware within a material part of the covered entity’s information system. 500.1(f) and (g)

Covered Entities must report a Cybersecurity Incident to DFS through the DFS Portal. To ensure that reports are matched to the correct individual or entity, the Portal requires the submitter to use an identifying number. An identifying number can be a NYS License number, NAIC/NY Entity number, NMLS number, or Institution number. The DFS Portal contains a look-up feature for submitters who do not know any of their identifying numbers. To notify DFS of a Cybersecurity Incident, go to the DFS Portal and follow the Instructions on How to Report a Cybersecurity Incident (PDF).

Note to NY LINX Users: You will need a DFS Portal account to submit cybersecurity filings via the DFS Portal, your LINX username and password will not work to access DFS Portal.

Report an Extortion Payment

Unfortunately, ransomware attacks continue to threaten financial services companies and their customers. DFS, like the FBI and other regulators, recommends against paying ransoms. While Covered Entities are not prohibited from making such payments, as of December 1, 2023, a Covered Entity that has made an extortion payment in connection with a cybersecurity event that occurred on its Information Systems must file a Notice of Extortion Payment within 24 hours of payment. Within 30 days of payment, the Covered Entity will be required to provide the reasons payment was necessary, alternatives to payment that were considered and the diligence, or research, it conducted to find these alternatives. Furthermore, the Covered Entity must describe the diligence it performed to ensure compliance with all applicable rules and regulations including those of the Office of Foreign Assets Control. 500.17(c). To notify DFS of an extortion payment, please go to the DFS Portal and follow the Instructions on How to Report an Extortion Payment (PDF).

Note to NY LINX Users: You will need a DFS Portal account to submit cybersecurity filings via the DFS Portal, your LINX username and password will not work to access DFS Portal.

Submission Confirmation

After each submission is complete, the submitter will receive an email that includes a receipt number. The email receipt is the only confirmation of the submission that the submitter will receive. The receipt number is an important piece of information that should be kept by the Covered Entity. Covered Entities may need their receipt numbers to update DFS regarding a reported Cybersecurity Incident.

Supervision and Examinations

To safeguard financial services organizations and the confidential information of New Yorkers, DFS uses a multi-pronged approach to monitor cyber risk. The cyber supervision program supplements traditional examinations with new types of information-gathering and analysis activities intended to create a holistic view of the cybersecurity risk posture of the thousands of New York financial services firms regulated by DFS.

The Department's approach was a first among regulators when it was launched as a pilot in December 2021 and has three key components: 

Regulatory Examinations and Data Analysis

DFS will continue to conduct regular examinations that include a focus on cybersecurity/IT risk and compliance. It will also assess Covered Entities for cybersecurity risk based on their previous examination reports, annual cybersecurity regulation compliance filings, reported incidents, and other regulatory filings.

Cyber Controls Assessment Questionnaires

DFS will periodically ask Covered Entities to complete assessment questionnaires, such as the Cybersecurity and Information Technology Baseline Risk Questionnaire. Such questionnaires will be independent of the examination process and are based on similar assessments used by industry and insurers to assess risk for financial services companies.

External Data Scans and Analysis

To better and faster assess cyber risk facing Covered Entities, DFS uses various sources of information to develop an “outside-in” view of cyber risk of specific regulated entities as well as New York State’s financial services sector overall. Such information may come from information-sharing arrangements with public sector partners and industry organizations. DFS also conducts data gathering and analysis through its dedicated Cyber Intelligence Unit which draws on a mix of sources including DFS data, publicly available information, and commercial scanning and threat analysis capabilities.

Producers, Individual Licensees, and Small Businesses

Cybersecurity Compliance Submission Notice: If you are experiencing password login issues when trying to submit your annual cybersecurity filing, visit the Lost Passwords and Locked Accounts Portal page and follow the instructions. You will need a DFS Portal account to submit a cybersecurity filing via the DFS Portal – your LINX username and password will not work to access DFS Portal. The system is currently experiencing a high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your filing, please try again.

This part of the Cybersecurity Resource Center has been developed specifically for DFS-regulated individuals and small businesses. It is intended to provide clear, step-by-step instructions for complying with the Cybersecurity Regulation.

Step 1. Determine whether you need to comply with the Cybersecurity Regulation.

If you have a license issued by DFS or are otherwise regulated by DFS, you must comply with the Cybersecurity Regulation. That is because the Cybersecurity Regulation applies to all individuals and small businesses that are “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under the Banking, Insurance or Financial Services Laws. Section 500.1(e).

Step 2. Determine whether you qualify for any of the exemptions listed in the Cybersecurity Regulation.

Many individual brokers, agents, and adjusters, as well as some small businesses, qualify for an exemption. The exemptions are listed in Section 500.19 and fall into two categories: full and limited.

Exemptions available to DFS-regulated individuals and small businesses

Full Exemptions

Three subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).

To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative or designee of another DFS-regulated business and all aspects of the Covered Entity’s business must be fully covered by the Cybersecurity Program of the other DFS-regulated business (referred to as the Covering Entity). Individuals who only work for one company and do not work on any other outside matters typically qualify for this exemption.

To qualify for a 500.19(e) exemption, a Covered Entity must be an inactive individual insurance broker (subject to Insurance Law section 2104) who (1) does not maintain, control or use, even indirectly, any Information Systems and does not have any Nonpublic Information; (2) has not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year; and (3) does not otherwise qualify as a Covered Entity (for example, does not hold another type of license). For exact language, see 500.19(e).

To qualify for a 500.19(g) exemption, a Covered Entity must not otherwise qualify as a Covered Entity by virtue of another license and must be (1) a charitable annuity society, (2) a risk retention group not chartered in NY, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) an individual mortgage loan originator placed in inactive status under Banking Law §599-i, or (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. For exact language, see 500.19(g).

Whether you qualify for one of these exemptions depends on your specific circumstances. DFS cannot make that determination for you.

Limited Exemptions

If you don’t qualify for any of the full exemptions, you may qualify for a limited exemption, which means that, if you qualify, you must submit a Notice of Exemption through the DFS Portal, comply with certain sections of the Cybersecurity Regulation (which we will discuss in Step 4), and submit an annual Certification of Material Compliance or Acknowledgment of Noncompliance.

The following are the most common exemptions for small businesses and individuals: Sections 500.19(a)(1), 500.19(a)(2), and 500.19(a)(3).

To qualify under Section 500.19(a)(1), a business, along with any Affiliates, must have fewer than 20 employees and independent contractors.

To qualify for a limited exemption under §500.19(a)(2), an individual or small business must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from (1) all its business operations, wherever located, and (2) its affiliates’ New York business operations. 

To qualify under Section 500.19(a)(3), an individual or business must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.

Affiliate, for purposes of the Cybersecurity Regulation and determining whether any of the 500.19(a) exemptions apply, is defined very broadly as “any person that controls, is controlled by or is under common control with another person.”  Control here “means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.”

Individuals and small businesses may also qualify for the limited exemption set forth in Section 500.19(c) if they (1) do not operate, maintain, use, or control a computer or other device that holds electronic data, including phones; and (2) do not, and are not required to, control, own, access, generate, receive, or possess confidential customer and other sensitive business and private information.

You may qualify for more than one of the limited exemptions listed above. If you do, you should indicate that when you submit your Notice of Exemption.

Whether you qualify for an exemption depends on your specific circumstances. DFS cannot make that determination for you.

If you do NOT qualify for an exemption, you must comply with all sections of the Cybersecurity Regulation and can skip Steps 3 and 4.

Step 3. If you qualify for one or more limited exemptions or the 500.19(b) or 500.19(e) full exemptions, submit a Notice of Exemption. 

To receive the benefits of qualifying for an exemption, you must submit a Notice of Exemption through the DFS Portal (see instructions on setting up a DFS Portal account.) 

Note that if you qualify for a full exemption pursuant to Section 500.19(b), you will need to provide the name of the Covering Entity (the DFS-regulated entity whose cybersecurity program covers all aspects of your work) when submitting your Notice of Exemption. If your business qualifies for the Section 19(b) exemption because it is a wholly owned subsidiary of another DFS-regulated entity, you will need to provide the name of your DFS-regulated parent company whose cybersecurity program covers all aspects of your business’s work. You or your business cannot claim yourself or itself as the Covering Entity or parent company.

Notices of Exemption are good until they are terminated which means you do not need to submit a Notice each year; however, if you qualify for a full exemption pursuant to Sections 500.19(b), (e), or (g), you should review your status every year to determine whether you still qualify for the exemption. If you qualify for a limited exemption pursuant to Sections 500.19(a), (c), or (d), you will be asked whether you still qualify for an exemption when you submit your annual Certification of Material Compliance or Acknowledgment of Noncompliance.

If your qualifications for an exemption have changed (for example, when you stop working for the DFS-regulated company or stop using their cybersecurity program), you are responsible for making sure your exemption is amended or terminated. If your company submitted a Notice of Exemption on your behalf, the company may terminate your exemption, but it is your responsibility to make sure that is done.

If you qualify for a full exemption and have submitted your Notice of Exemption, you do not need to proceed past this step. However, if you only qualify for one or more limited exemptions pursuant to Section 500.19(a), (c) or (d), you must submit a Notice of Exemption AND proceed to Step 4.

Step 4. If you qualify for one of the limited exemptions, determine which sections of the Cybersecurity Regulation you must comply with.

If you qualify for a Section 500.19(a)(1), (2), or (3) exemption, you are still required to: maintain a cybersecurity program as required in Section 500.2 and cybersecurity policies as required in Section 500.3; limit access privileges as required in Section 500.7; conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to DFS as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

Additionally, starting in November 2024, you will also be required to comply with the MFA requirements in Section 500.12 and provide cybersecurity awareness training pursuant to Section 500.14(a)(3).

If you qualify for a Section 500.19(c) or (d) exemption, you are still required to: conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to the Superintendent as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

Importantly, if you qualify for a limited exemption, you still must submit a Certification of Material Compliance or an Acknowledgment of Noncompliance by April 15 every year pursuant to Section 500.17. However, you only need to certify that you are materially complying with the sections of the Cybersecurity Regulation that are applicable to you or acknowledge your noncompliance with those sections.

Step 5. Take action to comply with the sections of the Cybersecurity Regulation applicable to you.

Once you determine which sections of the Cybersecurity Regulation apply to you (see Step 4), take action to comply. You can use the short descriptions below to prepare a list of the sections that apply to you along with any needed actions.

Section 500.2 – Maintain a cybersecurity program. This section requires you to have a cybersecurity program that enables you or your company to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.  

Section 500.3 – Maintain cybersecurity policies. This section requires you to establish and maintain written cybersecurity policies that essentially comprise the framework for your cybersecurity program. These policies should be created after an assessment of your cybersecurity risks. Those risks include how much data you hold, the types of data you hold, the number of people who can access that data, and other similar factors. DFS partnered with the Global Cyber Alliance (GCA) to develop a set of cybersecurity policy templates  which can provide a helpful starting point for individuals and small businesses.

You only need to establish and maintain policies that are relevant to your business, but you must consider whether you need policies that cover the following topics and controls, all of which are listed in Section 500.3:

  • Information security
  • Data governance and classification
  • Asset inventory and device management 
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Systems operations and availability concerns  
  • Systems and network security
  • Systems and network monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third-party provider management
  • Risk assessment
  • Incident response

As of April 29, 2024, you will also be required to consider whether you need policies that cover the following areas:

  • Data retention
  • End of life management
  • Remote access
  • Security awareness and training
  • Application security
  • Incident notification
  • Vulnerability management

Your policies need to be approved by your senior leadership, such as a senior officer or manager or an appropriate committee of your board (if one exists).  

Section 500.7 – Control who can access your computer system and nonpublic information. This section requires you to know who has access to the confidential customer and business information held by your business AND to limit that access to people who need it for their job. This section also requires you to periodically review who has and needs such access.

As of May 1, 2025, you must also impose limits with respect to privileged accounts, only allow secure connections where devices can be remotely controlled, promptly terminate access when employees leave, and have a written password policy that meets industry standards, among other things.

Section 500.9 – Conduct risk assessments. You must base your cybersecurity program on the identification, evaluation, and prioritization of cybersecurity risks to your business operations, including but not limited to risks to your Information Systems, the Nonpublic Information maintained on those systems, and your customers. You must conduct periodic risk assessments in accordance with written policies and procedures which have to include: the criteria you will use to evaluate and categorize identified cybersecurity risks and threats;  the criteria you will use to assess the confidentiality, integrity, security, and availability of your Information Systems and the Nonpublic Information maintained on them; and requirements that describe how identified risks will be controlled, minimized, or accepted and how your cybersecurity program will address those risks.  These assessments must be reviewed and updated at least annually and when any changes to your business or technology materially impacts your cyber risk.

Section 500.11 – Maintain a policy regarding the use of third-party service providers. You must have written policies and procedures designed to ensure the security of the confidential customer and sensitive business information that is accessible to, or held by, third parties. A third party, for purposes of the Cybersecurity Regulation, is an individual or organization that provides services to you, has access to your confidential customer and other sensitive business information, and is not affiliated with you or your company. Law firms, internet hosting companies, and electronic storage providers are examples of third-party service providers.

Section 500.13 – Limit the data you keep. You must not keep confidential customer and sensitive business information any longer than it is needed for business purposes. A legitimate business purpose includes anything you are required to retain by law or regulation.

As of November 1, 2025, you will also need to have policies in place to implement and maintain an up-to-date asset inventory covering your information systems. 

Section 500.17 – The following are required notifications to DFS:

  • Annual Compliance Submissions – Submit either a Certification of Material Compliance or an Acknowledgment of Noncompliance each year by April 15th regarding your compliance during the previous calendar year.
    • If you were materially compliant with all sections of the Cybersecurity Regulation that applied to you during the previous calendar year, submit a Certification of Material Compliance.
    • If you cannot certify that you were in material compliance with the sections of the  Cybersecurity Regulation that were applicable to you during the prior calendar year, you must submit an Acknowledgment of Noncompliance which (1) acknowledges that you did not materially comply with all the requirements applicable to you; (2) identifies all sections of the Cybersecurity Regulation that you have not materially complied with; (3) describes the nature and extent of the noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed.
  • Cybersecurity Incident Notifications – Notify DFS within 72 hours after you determine that you experienced a Cybersecurity Incident, which includes acts or attempts to gain unauthorized access to, disrupt, or misuse your Information Systems or the Nonpublic Information stored on those Information Systems that:
    • impacted you and required you to notify another government body, self-regulatory agency or any other supervisory body; 
    • has a reasonable likelihood of materially harming any material part of your normal operations; or
    • resulted in the deployment of ransomware within a material part of your Information Systems.
  • Extortion Payment Notifications – If you make an extortion payment in connection with a Cybersecurity Event that occurred on your Information Systems, you must notify DFS within 24 hours of payment. Within 30 days of payment, you must provide the reasons payment was necessary, alternatives to payment that were considered and the diligence, or research, you conducted to find these alternatives. You must also describe the diligence you performed to ensure compliance with all applicable rules and regulations including those of the Office of Foreign Assets Control.  

If you qualify for a Section 500.19(a) limited exemption, as of November 1, 2024, you will also need to comply with two other Sections of the Cybersecurity Regulation: Section 500.12 and Section 500.14(a)(3).

Section 500.12 – Use multi-factor authentication (“MFA”) for any remote access you allow into your information systems, or to third-party applications where Nonpublic Information is accessible (including any cloud applications), or to privileged accounts. If – and only if – you have a CISO, you may be able to use reasonably equivalent or more secure compensating controls as long as the CISO approves and reviews the controls to ensure their reasonable equivalence at least annually. 

Section 500.14(a)(3) – Provide cybersecurity awareness training that includes social engineering for all personnel at least annually.

If you do not qualify for any exemption, then you must comply with all sections of the Cybersecurity Regulation. The above list does NOT include a discussion of all of the sections that are applicable to you if you don’t qualify for an exemption. 

Step 6. If you are complying with all of the sections of the Cybersecurity Regulation applicable to you, submit a Certification of Material Compliance annually by April 15.  If not, submit an Acknowledgment of Noncompliance by April 15.

If you qualify for an exemption and are in material compliance with the sections of the Cybersecurity Regulation that are applicable to you, submit a Certification of Material Compliance by April 15 of each year through the DFS Portal

If you cannot certify that you were in material compliance with the Cybersecurity Regulation for the prior calendar year, you must submit a written Acknowledgment of Noncompliance which (1) acknowledges that you did not materially comply with all the requirements applicable to you; (2) identifies all sections of Part 500 that you have not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. See Section 500.17(b).

If you do not qualify for an exemption, submit a Certification of Material Compliance or an Acknowledgment of Noncompliance by April 15 of each year through the DFS Portal


Answers to Questions Frequently Asked by Individuals and Small Businesses

Questions regarding DFS Portal submissions (Section 500.17)

1. What should I do if I am having trouble logging in to the DFS Portal or resetting my password?

+

Note: You will need to create a DFS Portal account, your LINX username and password will not work for DFS Portal. If you have a Portal account and have reset your password, and are still not able to log in, email [email protected] with “Trouble Logging into the Portal” or “Password Reset” in the subject line. If you haven’t received a response within 10 business days from the date you sent your message, DFS may not have received it. In this event, please resend your email.

2. How can I confirm DFS received my submissions?
+

If you did not receive an email from DFS after making a submission, you may email [email protected] with “Confirm My Submission” in the subject line. We will need your name or your company’s name (as it appears on the DFS license) and one of the following for you or your company: NYS License number, NAIC number, NMLS Identification number, or Institution number.

Questions regarding filing annual notifications regarding compliance (Certifications of Material Compliance and Acknowledgements of Noncompliance) (Section 500.17(b))

3. If I am a non-resident Covered Entity, am I required to submit an annual notification regarding my compliance?
+

All Covered Entities, including non-residents, are required to submit notifications of their compliance unless they qualify for a full exemption pursuant to Section 500.19(b), (e), or (f) and have filed a Notice of Exemption.

4. If I am licensed by DFS but not currently working in the field, do I need to submit an annual notification regarding my compliance?

+

The following inactive licensees who do not otherwise qualify as a Covered Entity (for example, who do not hold another type of license) are exempt from the annual requirement to notify DFS regarding their compliance:

  1. inactive individual insurance brokers (subject to Insurance Law section 2104) who (a) do not maintain, control or use, even indirectly, any Information Systems and do not have any Nonpublic Information, and (b) have not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year;
  2. individual insurance agents placed in inactive status under Insurance Law §2103; and
  3. individual mortgage loan originators placed in inactive status under Banking Law §599-i.

If none of the above apply to your situation, then as long as you are licensed by DFS, you need to comply with the Cybersecurity Regulation. However, you may qualify for the limited exemption pursuant to Section 500.19(c) which applies to any regulated entity or licensed Person that does not maintain any Information Systems and does not possess any Nonpublic Information, including information concerning former or potential customers. Even if you do qualify, Section 500.19(c) is a limited exemption that still requires compliance with certain provisions of the regulation (see table below), including the requirement to submit an annual Certification of Material Compliance or an Acknowledgment of Noncompliance.

5. If I am an individual with no Board of Directors, who should sign my annual notification of compliance?
+

The annual notification of compliance that is required by Section 500.17(b) must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity.  If you are an individual, you should sign as the highest-ranking executive and if you don’t have a CISO – even a virtual one or one at a managed service provider – you should sign as the senior officer responsible for your cybersecurity program.

6. Should I send supporting documentation with my annual submission regarding compliance?
+

You do not need to send supporting documentation if you are submitting a Certification of Material Compliance. If you are submitting an Acknowledgment of Noncompliance, you must identify all sections of the Cybersecurity Regulation you did not materially comply with, describe the nature and extent of such noncompliance, and provide a remediation timeline or confirmation that remediation has been completed. No additional explanatory or other materials are required as part of these submissions.

The Cybersecurity Regulation does require, however, that Covered Entities maintain records, schedules, and data that support their annual notification – whether a certification or an acknowledgment -- for 5 years and provide such information to the Department upon request. The information you must keep includes, but is not limited to, the identification of all areas, systems, and processes that require or required material improvement, updating or redesign, remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.

Questions About Limited Exemptions (500.19(a), (c), and (d))

7. If I filed a Notice of Exemption from the Cybersecurity Regulation, do I need to file an annual notification of compliance?
+

It depends on the exemption for which you qualify. If you qualify for a full exemption pursuant to Section 500.19(b), (e), or (g), and submitted a Notice of Exemption, you do not need to submit an annual notification regarding your compliance. If, however, you qualify for a limited exemption and filed a Notice of Exemption pursuant to Sections 500.19(a), (c) or (d), you do need to submit an annual notification regarding your compliance with the sections of the Cybersecurity Regulation applicable to you based on the exemption for which you qualify. For example, if you qualify for a Section 500.19(a) exemption, you must file an annual notification regarding your compliance only with Sections 500.2, 500.3, 500.7, 500.9, 500.11, and 500.17.

8. When does the limited exemption in Section 500.19(a)(1) for Covered Entities with “fewer than 20 employees and independent contractors” of the Covered Entity and its Affiliates apply?
+

Under Section 500.19(a)(1), which is also referred to as the Small Business Exemption, smaller Covered Entities are exempted from certain requirements of Part 500 when a Covered Entity and all of its Affiliates combined have a total of fewer than 20 employees and independent contractors. When determining whether a Covered Entity and its Affiliates have fewer than 20 employees and independent contractors, all of the Covered Entity’s employees and independent contractors and all of the Covered Entity’s Affiliates’ employees and independent contractors must be counted regardless of where any of the employees and independent contractors are located.  

Note that Affiliate is defined very broadly in Section 500.1 as any individual or entity, including but not limited to any partnership, corporation, branch, agency or association, that controls, is controlled by, or is under common control with any other individual or entity, including but not limited to any partnership, corporation, branch, agency or association. For purposes of this definition, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise. 

Questions about full exemptions (Section 500.19(b))

9. Am I qualified for an exemption under Section 500.19(b) if I am an employee, agent, representative or designee of more than one other Covered Entity?
+

You are entitled to a Section 500.19(b) exemption in this case only if you are an employee, agent, representative, or designee that is fully covered by the cybersecurity program of one of the Covered Entities for which you are an employee, agent, representative or designee. In other words, if you are an employee, agent, representative or designee of more than one other Covered Entity, you will only qualify for a Section 500.19(b) exemption if the cybersecurity program of at least one of those Covered Entities fully covers all aspects of your business.

When submitting the notice for a Section 19(b) exemption, you must provide the name of the Covered Entity whose cybersecurity program your business is covered by, along with the name of an individual at that Covered Entity who can verify the coverage.

10. If my employer submitted an exemption for me through the bulk filing process, what do I need to do when I stop working for the company?
+

If you work for a company that has 50 or more employees who qualify for an exemption, and your company has submitted a Notice of Exemption on your behalf through the bulk filing process, you must ask your employer to terminate your exemption when you stop working for that company. If you cannot confirm that they have done so, you may terminate your exemption. See the Instructions on How to Terminate Previously Filed Notices of Exemption to learn how to do so.

11. Do I need to amend my Notice of Exemption if I changed my name or if my qualifications for an exemption have changed?
+

Yes.  If there are any changes, you should amend your Notice of Exemption by going to the DFS Portal where there is an option to choose “amend exemption.”

DISCLAIMER: This part is explanatory and provided for informational purposes only. In the event of an inconsistency between this part and the Cybersecurity Regulation, the Cybersecurity Regulation will prevail.


Tools for Small Businesses

As doing business online becomes indispensable, it is essential that small businesses protect themselves and their customers from cybercrime. However, cybersecurity can be especially challenging for small businesses.

The Department is committed to supporting small businesses in this regard. To help improve their cybersecurity, DFS has partnered with the Global Cyber Alliance (GCA) to highlight the availability of free cybersecurity resources. GCA has created a Cybersecurity Toolkit for Small Business that contains a set of free tools, guidance, resources, and training for small businesses. It is targeted to small businesses that do not have a dedicated cybersecurity staff.

Because governance is critical to effective cybersecurity, DFS also partnered with GCA to develop sample cybersecurity policies. These policies are designed to help small businesses install the governance and procedures necessary for effective cybersecurity. The sample policies provide a helpful starting point for all small businesses.

The sample policies include:


All cybersecurity policies created by a business should be tailored to the business’s specific needs, risks, resources, and structure. Some businesses may require additional actions beyond those suggested in the sample policies; likewise, not every action suggested will be required for every business. Policies based only on the samples therefore may not constitute full compliance with state and federal laws and regulations, including the Cybersecurity Regulation. Best practices can also change over time.

Businesses should review their policies for accuracy, completeness, and applicability, and update them as needed based on their risk assessments.

More guidance for small businesses can be found in our Information for Small Businesses section.

Other small business resources

Archived Materials