NY State Financial Services
NY Department of Financial Services (23 NYCRR 500)
Organizations that operate under the Banking Law, Insurance Law or the Financial Services Law in the State of New York must comply with the new Cybersecurity requirements under 23 NYCRR 500. Below are some quick and easy steps to help identify which sections you must comply with along with an outline of related deadlines.
Please note that this is NOT legal advice. Any Covered Entity should always consult with an attorney prior to confirming your qualification for Limited Exemption and before submitting Appendix A & B to the Superintendent of Financial Services.
Complete this form for a checklist to
23 NYCRR 500 Compliance
Step 1: Section 500.01, Definitions, section (c). What is a Covered Entity?
Regardless of where your Headquarters is domiciled, you must comply with this new law, wholly or in part, depending upon if you meet the Limited Exemption qualifications. Before taking next steps to understand whether or not your organization qualifies to meet Limited Exemptions it is imperative to understand exactly what a Covered Entity is defined as.
- “A Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”
Step 2: Section 500.19, Exemptions, Section (a) (1), (2) and (3). Do you qualify for the Limited Exemption?
A majority of the companies that are defined as a Covered Entity may qualify for a Limited Exemption under this section. In order to qualify for the Limited Exemption your organization only needs to meet one (1) of the requirements in this section. If your organization DOES NOT meet ANY limited exemptions in this section you MUST comply with all sections of this law.
- Does your organization have less than 10 employees including independent contractors working at an office within the State of New York?
- Does your organization have less than $5MM in gross annual revenue in each of the last three (3) fiscal years from business within the State of New York?
- Does your organization have less than $10MM in year-end total assets within the State of New York?
If your organization can answer YES to any one of these you qualify for the Limited Exemption! Therefore, the sections your organization MUST comply with ONLY at this time are:
- Sections 500.02, 500.03, 500.07, 500.09, 500.11 & 500.13
Additional Exemptions - Section 500.19, Exemptions, Section (b) through (d) and (f)
As mentioned a majority of the organizations defined as a Covered Entity will qualify for the Limited Exemption above. However, there are additional ways organizations can qualify:
- (b) – If an individual is itself a Covered Entity acting as an employee, agent, representative or designee of a Covered Entity and you are covered by their cybersecurity program you are exempt and DO NOT need to develop a cybersecurity program of your own.
- (c) – If you are a Covered Entity who does not have access to Information Systems and Nonpublic Information you MUST ONLY comply with sections:
- 09, 500.11 & 500.13
- (d) – If you are a Covered Entity under Insurance Law only and do not have access to Nonpublic Information you MUST ONLY comply with sections:
- 09, 500.11 & 500.13
- (f) – If you ONLY qualify as a Covered Entity because of one of the following, you are actually not considered a Covered Entity and are exempt from all requirements:
- You are subject to Insurance Law section 1110 (actively operational for the last ten years solely as a charitable, religious, missionary, education or philanthropic organization)
- You are subject to Insurance Law section 5904 (Risk Retention Groups)
- You are an accredited or certified Reinsurer pursuant to 11 NYCRR 125
Step 3: Deadlines
At this point your organization should be aware of whether you qualify for an exemption or not. Below is an outline of the deadlines in which you must be in compliance for each section and their dates, along with submissions to the Superintendent of Financial Services. If you qualify for the Limited Exemption under Section 500.19 (a)(1)(2)(3) those sections are highlighted in bold.
- August 28th, 2017
- Sections 02, 500.03, 500.04, 500.07, 500.10 and 500.16
- September 27th, 2017
- Appendix B (Notice of Exemption) is due to the Superintendent of Financial Services.
- Note: if your organization qualifies for Limited Exemption under section 500.19(f) submission of this Appendix is NOT required at this time.
- February 15th, 2018
- Appendix A (Certification of Compliance) is due to the Superintendent of Financial Services.
- March 1st, 2018
- Sections 500.05, 09, 500.12, 500.14(b)
- September 1st, 2018
- Sections 500.06, 500.08, 13, 500.14(a), 500.15
- March 1st, 2019
- Sections 11
Step 4: Continual Requirements - Section 500.17, Notices to Superintendent and Section 500.19(g)
After your organization has started to comply with the sections according to the deadlines outlined above there are still some requirements moving forward. Both of these are VERY IMPORTANT to ensure compliance with 23 NYCRR 500.
- Section 500.17 (a) and (b)
- (a) Effective August 28th, 2017 each Covered Entity must notify the superintendent no later than 72 hours from a determination that a Cybersecurity Event has occurred that (1) requires notice to a government body or self-regulatory agency or any other supervisory body or (2) has a reasonable likelihood of materially harming normal operations.
- (b) Annually each Covered Entity MUST re-submit Appendix A (Certificate of Compliance) by February 15th.
- All records, schedules and data supporting this certificate must be kept for a period of 5 years.
- If areas, systems or processes that require improvement, updating or redesign have been identified those must be documented along with remedial efforts.
- Section 500.19(g)
- If, at the conclusion of a Covered Entities’ fiscal year end it ceases to qualify for an exemption, there is a 180 day period from that fiscal year end to comply with sections they are no longer exempt from.