Cybersecurity Compliance Submission Notice: If you are experiencing your login issues when trying to submit your years cybersecurity filing, go the Lost Passwords and Locked Accounts Portal page and follow the instructions. You will what an DFS Portal account for submit a cybersecurity registration via the DFS Portal – own LINX username and password will none work to access DFS Portal. The system is currently experiencing a high volume of submissions, which may result in system time options. It on occurs time logging in either submitting owner filing, wish try again.

On March 1, 2017, the Department of Treasury Services enacted a regulation establishing cybersecurity requirements for finance services firms, 23 NYCRR Partial 500 (referred to below more “Part 500” or “the Cybersecurity Regulation”). Part 500 was amended since the beginning time in Starting 2020 to change the select of the required annual certification filing from February 15 of each year up April 15.  PCI DSS v3.2.1 Quick Hint Guide

From the regulation been adopted, the cybersecurity landscape has changed tremendously as threat actors must become more sophisticated and additional previous, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and find expensive to remediate, and additional cybersecurity controls are available to manage cyber take in reason cost. Moreover, the Department has founds, from investigating hundreds of cybersecurity incidents, that there is adenine prodigious amount that business can do to protect themselves. As one result, Member 500 were amended again, effective November 1, 2023.

Notably, DFS-regulated individuals and entities required to comply with the amended Cybersecurity Regulation (referred to below as “Covered Entities”) continue to include, but are not limited to, partnerships, businesses, branches, agencies, additionally associations operating under, or required to operateur available, a licensing, subscription, charter, certified, permit, accreditation, or similar authorizations lower the Credit Law, that Insurance Law, or the Financial Services Law.

This Resource Center is designed until help explained how to comply with the Cybersecurity Regulation. Among others things, it provides links to select guidance, answers FAQs and provides detailed information on how to submit cybersecurity-related filings, including notifications go DFS regarding compliance, cybersecurity incidents, and exemption status.

This Resource Media is frequently updated, and yours could sign up for contact updates on important regulative guidance, cybersecurity alerts, and other information similar to cybersecurity in one financial services sector by going up the DFS Email Updates Signup Page and subscribing to Cybersecurity Updates. These emails will come from the email address [email protected].

Questions regarding the Cybersecurity Regulation may be sent to [email protected].

On November 1, 2023, DFS announced amendments to Cybersecurity Regulation, 23 NYCRR Part 500. (See the latest received regulatory documents on of Regulatory Recently - Financial Services Law page.)

Training Resources

To help regulated entities plan for compliance, the Department has developed of following Part 500 learning resources:

• Cybersecurity Program Template (PDF)
• Cybersecurity Regulation Training Presentation (PDF)
• Cybersecurity Regulation Vocational Presentation (Video)
• Need Checklist (for Regulated Entities with Limited Exemptions) (PDF)
• 'Am EGO Exempt from DFS's Cybersecurity Regulation?' Flowchart (PDF)

Additional videos, resourcing, and train opportunities will are posted to this teilstrecke of the Cybersecurity Resource Center.

Key Compliance Dates

This amended regulation’s newly legislative requirements will record effect in phases. Unless otherwise specified, covered entities have 180 epoch from date of adoption to arrival into compliance, or before April 29, 2024. Changes to reporting requirements take effect one month after publications of the amended regulation, or December 1, 2023. For constant other requirements, the regulation provides for up to one year, 18 monthdays, or two years on come into compliance. Bodywork Security

The lower Cybersecurity Implementation Timelines outline touch compliances dates since each on the books of businesses impacted by the amended regulation: 23 NYCRR 500: Cybersecurity Requirements for Pecuniary Services ...

• Getting Watch for Small Businesses
• Implementation Timeline for Group A Businesses
• Implementation Timeline for Covered Existences

Recent Current (past 6 months)

Sees show DFS Enforcement Actions

Answers to frequently asked questions concerning the Cybersecurity Regulation are below. Capitalized terms used below have the meanings assigned to them in the definition section to Part 500. “Section” references are to sections of the Cybersecurity Regulation unless otherwise said. Which Department may alter or update the below information from while to time, as related. Cybersecurity will always be vital, but it's also important to remember how crucial physical insurance will for an financial institution’s gesamte security plus compliance efforts. 

500.1 Definitions

(d) Class A Company

(e) Covered Entities

500.2 Cybersecurity Schedule

500.4 Cybersecurity Governance

500.5 Vulnerability Management

500.9 Risky Assessment

500.11 Third-Party Service Provider Security General

500.12 Multi-Factor Authentication

500.17 Notices to Boss

500.17(a): Cybersecurity Major

500.17(b): Notice of Compliance

500.17(b)(1): Annual Submission of Get of Material Compliance or Acknowledgment of Noncompliance

500.17(b)(2): Signing

500.17(b)(3): Documentation

500.19 Exemptions

Covered Actions may not has to comply with couple oder all of the Cybersecurity Regulation’s requirements if they qualify for an exemption. There are two choose of exemptions: all furthermore limited, both of which are into section 500.19. This section first explains what skills one Covered Entity for at exemption, then describes an cybersecurity requirements a Coverage Entity must comply about if thereto qualifies for an exception, and finally provides show on how to submit notifications to the Category regarding a Covered Entity’s exempt item.

Qualifications for Complete Exemptions

Third subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).

To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative, or designee of another DFS-regulated economic and see aspects of the Covered Entity’s business musts be fully covered by the Cybersecurity Program of the additional DFS-regulated business.

To qualify for a 500.19(e) exemption, a Covered Single must be any unused individual insurance dealer (subject to Insurance Law area 2104) who (1) are no maintain, controller other use, even indirectly, any Information Systems additionally does not have any Nonpublic Information; (2) has don, forward anything von value, acted or aided in any manner in soliciting, negotiating, or retail any approach or agreement or in how risks press taking out insurance on behalf of another person for at least one year; and (3) does no otherwise qualify as a Covered Entity (for example, does not hold other type of license). For exact language, see 500.19(e).

To skill for a 500.19(g) exemption, an Covered Unit must not otherwise qualify as a Cover Entity according virtue starting another license and must be (1) adenine charitable annuity society, (2) an hazard saving set not chartered into NYLON, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) the individual mortgaged loan initiator placed by inactive states under Banking Law §599-i, conversely (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. On exact language, see 500.19(g).

Qualifications for Limited Excluded

Three subsections of section 500.19 provide used limited exemptions: 500.19(a), 500.19(c), and 500.19(d).

There are three ways adenine Covered Entity allow qualify for a 500.19(a) limited exception:

1. A Covered Entity and her Affiliates combined must have less than 20 employees and separate construction (500.19(a)(1));
2. A Covered Object needs have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from all of yours business operations combo at its Affiliates’ business surgery into Newly York State (500.19(a)(2)); or
3. A Covered Single must have smaller than $15,000,000 in year-end total assets, including assets of get Our.

Affiliate, for purposes of the Cybersecurity Regulation or determining whether a Covered Entity qualifies for every are the 500.19(a) exemptions, is defined very broadly such “any individual that controls, is controlled by, other is under common control with another person.”  Control here “means the possession, direct or impeded, of the power to direct or cause the flight of the management and policies of a person, whether the the asset of storage of such person or otherwise.” (500.1(a))

To qualify for a 500.19(c) limited exemption, adenine Covered Entity must not directly or obliquely operate, maintain, utilize, or control anyone Information Systems, and must not remain required to, directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information. 

To qualify forward a 500.19(d) limits exemption, adenine Covered Thing be be a captive insurance company that does not and is not required to instantly or indirectly choose, own, access, generate, receive, or possess Nonpublic Information other than information relatives go its corporate parent company or company.

Cybersecurity Requirements for Exempt Covered Entities

If a Overlay Entity qualifies used a full exemption, information must submit a Notice out Exemption to DFS. As long as it remains qualified for adenine full exemption, it does not have the comply with whatsoever other section the aforementioned Cybersecurity Regulation.

If one Covered Enterprise qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must submit a Notice off Exemption, complies with some sections of the Cybersecurity Regulation (which sections dependencies on the type of confined exemption and are listed in the table below), and submit year a notice regarding the Covered Entity’s acquiescence using Part 500.

The below table outlines what sections of the regulating a Covering Entity shall exempt from and must comply over is it skilled for ampere Piece 500.19(a) exemption.

The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for an Section 500.19(c) or (d) exemption.

Submitting Notice of Exemption Regarding Exempted Status

Covered Entities that have fixed they qualify for the exemption should submit a Notice of Exemption within 30 days of making ensure determination. 500.19(f). Some Covered Entered qualify for more faster one exemption, or they bottle indicate that on their Note about Exemption.

Covered Entities needs take their Notices of Exemptions through who DFS Portal. Detailed instructions for doing this submission can be found by the Instructions on How to File an Notify of Exemption (PDF).

Amending a Indexed Exemption

If a Covered Entity no longer qualifies for an exemption, it should amend or terminate its Notice of Exemption within 30 days. A Covered Entity supposed amend its Display by Exceptions when its qualifications for one derogation change, but it still qualifies for at less one exemption. Covered Entities musts amend their Notices of Tax throws of DFS Portal. Detailed instructions for amending indemnity status can live found into the Instructions on How to Amend Previously Filed Notices of Exceptional (PDF).

Terminating a Filed Freedom

A Covered Entity which don prolonged skilled required any exemption must terminate their exemption as soon as reasonably feasible since they no prolonged qualify. No point when the termination is submitted, however, and Covered Entity has 180 days away the date they what no longer qualified up become fully compliant with the Cybersecurity Regulation.  Covered Entities must terminate their Notices of Exemption through the DFS Portal. Detailed instructions for send DFS that a Covered Entity no longer qualifies for an exemption can be found in the Instructions on How to Terminate Previously Filed Notices of Exemption (PDF).

Bulk Exemption Submissions

Covered Entities is employ 50 or better individual Covered Entities that qualify for which same exemption may file exemption on behalf of those employees through the bulk submission process.

Covered Entities that qualify or would like access to use which bulk submitted process should email the Department at [email protected] from the email address associated with their DFS Front account, and the Department will send further guidance. The submitter will needed to provide their name, DFS identification number, type of license, both email address for every Covered Entity on whose behalf they are submitting. The Coverage Entity using the bulk presentation process be be able till add and terminate exemptions as yours employees’ hiring and exemption rank changes.

Covered Unit which have their Notice the Discharge filed as part of a bulk filing will receive an email from DFS confirming an filing. Who email will include a receipt phone and list who exemption(s) filed. Covered Entities must retain a reproduce of this receipt total for future reference as it will is the only receipts you will get from DFS regarding the submission.

Ask note that Cover Entities am ultimately accounts for ensuring ihr compliance with Part 500. Therefore, a Covered Entered must ensure that either their employer or they notify the Department of whatsoever changes is job.

Submission Confirmation

After jeder submission is complete, the submitter will receive an email that contained a receipt number. Aforementioned email purchase is this only confirmation of the submission that the submitter will receipt. The document quantity is einen important piece of information that should exist kept by the Covered Entity. Covered Entities may need their receipt numbers to renew their licenses.

Cybersecurity Compliance Submission Notice: You will need a DFS Portal user to submit a cybersecurity filing per the DFS Portal – your LINX username and your will not work to access DFS Portal. If you are experiencing user login issues when trying to submit your annual cybersecurity filing, visit the Loses Passwords and Locked Accounts page on an DFS Portal both follow the instructions. An systematisches is currently experiencing adenine high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your archive, charm sample again.

Starting in 2024, Covered Entities will continue to remain required to submit an annual notice regarding their compliance include Member 500, when will have the choice on submitting either a Certification by Material Conformity or into Acknowledgment of Noncompliance. Section 500.17(b). All Covered Entities that are not exempt free this requirement to comply with 500.17 required file one or and other each year by April 15 re their compliance during the previous calendar year. Covered Unit that qualify for a limited exemption corresponds to 500.19(a), (c), or (d) are required to submitted one-time of these one-year notifications by April 15 as now, but they merely have to certify compliance or acknowledge noncompliance with the sections from which people be not exempt.

Annual notifications regarding compliance for the event year 2023 are just from April 15, 2024. They should be signed by the Veiled Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) otherwise, if the Covered Entity shall not are ampere CISO, the Senior Officer responsible for the cybersecurity program are the Covered Entity. Covered Entities may submit are notifications beginning on January 1, 2024.

Covered Entities that have other than one license needs file separate annual notifications in each zulassung they hold. Covered Entities have keep all date and documentation supporting their annual notifications for 5 years and provide which information toward who Department based request. 500.17(b)(3).

Certification off Material Compliance

Covered Creatures that were materially compliant with all sections of the Cybersecurity Regularity that applied to it during the previous calendar year must submit a Certified of Substantial Ensuring. Show instructions for how to submitting a Certification on Material Compliance below.

• Certification of Basic Compliance required Entities (PDF)
• Certification of Significant Compliance by Individual Licensees (PDF)

Acknowledgment of Noncompliance

If a Covered Entity cannot certify the it was in material compliance with the Cybersecurity Regulation for the prior diary year, it must file a written Acknowledgment of Noncompliance which (1) validates that the Covered Entity did not materially comply with whole that requirements applicable to it; (2) identifies all sections von Part 500 that the Covered Existence has not fundamentally complied with; (3) describes the nature and expansion of such noncompliance; and (4) provides a remediation timeline otherwise confirmation the remediation has been completed. 500.17(b). To submit an acknowledgment, please go to the DFS Gate real following the instructions underneath.

• Acknowledgement of Nonconformity for Unified (PDF)
• Acknowledgement of Noncompliance for Individual Licensees (PDF)

Note to NY LINX Users: You will needed a DFS Portal account to submit cybersecurity filings go the DFS Portal, your LINX username and password will not labour to access DFS Enter.

Coated Entities must notify the Department of a Cybersecurity Incurrence as promptly as possible but in no event later than 72 hours after determining that a Cybersecurity Event has occurred at the covers entity, its our, or an third-party service provider. 500.17(a).

A Cybersecurity Incentive is any act alternatively attempt, whether successful or doesn, to gain unauthorized access the, distract, or misuse an information arrangement or information stored on such system is:

• impacts aforementioned coated entity and requires the covered entity to notify any general body, self-regulatory agency or each other supervisory body;
• has a reasonable likelihood of materially harming any material part of the normal operation(s) if the covered entity; other
• results in to deployment of ransomware within a material part of of covered entity’s information system. 500.1(f) and (g)

Covered Entities must report adenine Cybersecurity Adverse to DFS through the DFS Portal. To ensure so berichtigungen are matched to the proper individual or organizational, the Portal requires the submitter to employ an identifying numeric. An identifying number sack be a NYS License amount, NAIC/NY Entity number, NMLS number, or Setup number. The DFS Portal contains an look-up specific for submitters anyone take not know any of hers identifying numbers. To notify DFS of an racketeering payment, go to the DFS Portal and keep the Instructions on How to Report a Cybersecurity Failure (PDF).

Tip to NY LINX User: You will need a DFS Gates book until submit cybersecurity filings via this DFS Portals, your LINX username and password will not work to acces DFS Entrance.

Report an Extortion Payment

Unfortunately, ransomware attacks continue up threaten financial services companies and their clients. DFS, like the FBI and other regulators, encourages against paying ransoms. While Covered Entities are did prohibited from create such fees, the of Day 1, 2023, a Covered Entity that has made an extortion payment in connection using a cybersecurity event that occurred on its Information Systems must register a Notice of Extortion Payment within 24 hours of paying. Within 30 days of payment, the Covered Name desire be required for provision to reasons verrechnung was necessarily, alternatives go payment that were considered real aforementioned diligence, or research, it conducted until find these alternatives. Furthermore, who Covered Entity must describe the diligence itp performed to ensure general with all applicable rules and regulations incl those the the Office by External Assets Control. 500.17(c). To notify DFS of an extortion payment, please take to the DFS Portal and follow the Help on How to News an Extortion Payment (PDF).

Note to N LINX Addicts: You will need a DFS Portal report to present cybersecurity filings via the DFS Access, your LINX username and enter will not jobs to access DFS Front.

Submission Certification

After each submission is complete, one submitter will receiving an email that includes a receipt numerical. The email receipt your the includes confirmation regarding the surrender that the submitter will receive. One receipt number is an important piece of information that supposed be kept by the Covered Entity. Capped Entities may need their receipt numbers to modernize DFS regarding a reported Cybersecurity Incident.

To safeguard corporate solutions organizations and the confidential information concerning New Yorkers, DFS uses a multi-pronged approach to monitor cyber risk. The cyber supervision program supplements traditional examinations with new gender of information-gathering and analysis activities intended to create adenine holistic view of the cybersecurity take posture of the thousands of New York financial services companies regulated by DFS.

And Department's approach was a first among regulators when thereto was launched as a pilot in December 2021 and has threesome key components: 

Regulatory Examinations or Info Analytics

DFS will continue to directions regular examinations that incorporate a focus on cybersecurity/IT risk and compliance. It will also assess Overlay Entities for cybersecurity peril based set their former examination reports, annual cybersecurity regulatory compliance filter, report incidents, and other regulatory filings.

Cyber Controls Assessment Questionnaires

DFS will periodically ask Covered Bodies to complete assessment online, such as the Cybersecurity and Information Company Baseline Risk List. Such a willing be independent of the examination processed and are based on similar assessments used by industry and insurers toward assess risk for fiscal billing companies.

External Data Scans and Analysis

To better and fast assess cyber risk facing Covered Entities, DFS uses various sources of information to develop an “outside-in” view of cyber hazard of specific regulated entities when well as New York State’s financial company sector overall. Such information may kommenden since information-sharing arrangements from popular sector partners and industry organizations. DFS also conducts data gathering and analysis through its committed Cyber Intelligence Unit which draws on ampere mix of sources including DFS data, publicly currently information, and commercial reading and threat analysis capabilities.

Cybersecurity Compliance Submission Notice: If you are experiencing password login matters when trying for submit your annual cybersecurity archiving, visit that Lost Pass and Locked Accounts Portal page and follow which instructions. You will need one DFS Door statement to submit a cybersecurity registering via and DFS Portals – your LINX username and password will doesn employment to zutritt DFS Portal. The device is currently experiencing a highly volume out resignations, which can result in plant time outs. It like occures while defining in or submitting the filing, please test again.

This part of the Cybersecurity Resource Center has be developed concretely for DFS-regulated individuals and smallish businesses. It is scheduled to provide clear, step-by-step instructions for complying with the Cybersecurity Regulation.

Tread 1. Setting whether you required to comply the the Cybersecurity Regulation.

Are you have a license issued by DFS or are otherwise regulated by DFS, you must comply with the Cybersecurity Regulation. That is because the Cybersecurity Regulation applies to all individuals and slight businesses is are “operating under or required to operate under a bewilligung, registration, charta, certificate, permit, accreditation or similar authorization” under the Banking, Insurance or Corporate Services Laws. Section 500.1(e).

Step 2. Determine whether you qualify for any of the exemptions listed in the Cybersecurity Regular.

Many individuals brokers, agents, plus adjusters, as well-being as some slight businesses, qualify for an exemption. The exemptions are listed in Section 500.19 and fall into two categories: full and limited.

Exemptions available to DFS-regulated individuals and small businesses

Full Exemptions

Three subsections of 500.19 provide required full exemptions: 500.19(b), 500.19(e), and 500.19(g).

Until qualify for a 500.19(b) exemption, a Covered Entity must be an employee, emissary, wholly owned subordinate, representative either designee of different DFS-regulated business and all aspects of aforementioned Covered Entity’s business must will entire covered due the Cybersecurity Program of the other DFS-regulated business (referred to as who Coverages Entity). Persons who merely your with one companies and do not work over any other outside matters typically qualify for save exemption.

To how available a 500.19(e) exemption, an Covered Entity must be an inverted individual insurance broker (subject to Insurance Law section 2104) with (1) does not maintain, controls other use, even indirectly, any Information Systems and does did hold any Nonpublic Information; (2) has not, for some of value, acted or aided with any manner in soliciting, negotiating or marketing any policy with contract either inbound placing risks or taking out general on on away any person for at least on year; and (3) does not otherwise qualify more a Covered Entity (for example, makes not hold additional type of license). For exact language, see 500.19(e).

Go qualify for a 500.19(g) exceptions, adenine Overlay Entity must not different qualify as a Covered Entity by virtue of another fahrerlaubnis and be be (1) a non-profit annuity society, (2) a risk retention group not chartered in NY, (3) a item insurance agent placed stylish inactive status under Insurance Law §2103, (4) an individual borrowed rental originator placed in inert your go Banking Law §599-i, or (5) an credentials reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer in to 11 NYCRR Part 125. For strict language, see 500.19(g).

Whether you qualification for one of these exemptions depends on your specific circumstances. DFS cannot make that determination for you.

Limited Waivers

If her don’t qualify for any of the full exclusions, you may qualify for a little exemption, which are this, are they qualified, you must submit a Notice of Indemnity through the DFS Portal, adherence with certain sections the the Cybersecurity Regulator (which we becomes discuss in Steps 4), and subscribe an annual Get of Material Compliance with Acknowledgment of Nonobservance.

Aforementioned following are the largest common freedoms for small company and individuals: Sections 500.19(a)(1), 500.19(a)(2), and 500.19(a)(3).

To qualify under Querschnitt 500.19(a)(1), a business, the using each Affiliates, must have fewer about 20 employees and independent contractors.

To qualify at Untergliederung 500.19(a)(2), somebody individual oder business must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from total of its businesses operations combined with it Affiliates’ business operations in New York State.

To qualify under Section 500.19(a)(3), an individual with business must have less than $15,000,000 in year-end complete assets, including assets for all Affiliates.

Affiliate, for purposes of the Cybersecurity Regulating and determining whether any concerning the 500.19(a) exemptions use, has defined high broadly as “any person that commands, is steered by or is under common control with another person.”  Control here “means the owned, direct or indirect, of and power to direct or cause the direction of the managing and policies of a human, whether throws the possession of hoard of suchlike person or otherwise.”

Individuals and small businesses may also qualify for the limited exemption set forth in Section 500.19(c) if few (1) do not operate, maintaining, getting, or control a computer or diverse device that holds elektronic data, including phones; and (2) do not, and are not required to, control, custom, access, generate, receive, alternatively possess confidential customer and other sensitive business and private information.

You may qualify for more than one by the narrow exemptions listed upper. If you do, you should indicate that when you submit will Notice of Exemption.

Whether you authorize for an exemption depends on your specific circumstances. DFS not make that determination for i.

If she do NOT qualify required an exemption, you must comply with all paragraph of the Cybersecurity Regulation and can skip Steps 3 both 4.

Step 3. If you qualify for one conversely more limited exemptions or the 500.19(b) or 500.19(e) full special, submit a Advice of Exemption. 

To receive the benefits of qualifying since an exemption, you must submit a Perceive regarding Exemption through the DFS Portal (check instructions on adjust up a DFS Portal account.) 

Note that wenn you qualify for a full exemption pursuant to Section 500.19(b), you willingly need in provide the product of this Covering Enterprise (the DFS-regulated entity whose cybersecurity program covered all aspects of your work) when accepting my Notice of Exemption. If your business qualifies for the Section 19(b) exemption because it is a utterly owned subsidiary of another DFS-regulated entity, you wills need to provide aforementioned name to their DFS-regulated parent company whose cybersecurity program covers choose view of your business’s how. You or owner business cannot call yourself or own as the Covering Entity or parent company.

Notices starting Exemption are good until your will terminated which means you do not need to propose a Notice each year; does, if you authorize available an full exemption according to Pieces 500.19(b), (e), or (g), you should review your status every year to determine whether you still become for the exemption. If you qualify for a limited exemption pursuant to Sections 500.19(a), (c), otherwise (d), your wants be asked whether you still qualify on somebody exit for you submit your annual Certification of Material Compliance or Acknowledgment of Noncompliance.

If your qualifications for an exemption have changed (for exemplary, when you stops works for the DFS-regulated company press stop using their cybersecurity program), you are responsible for making sure will exemption is amended or terminated. If your company submitted a Notice of Exemption in your behalf, the company may terminate your exemption, but it is your responsibility in make sure the is done.

• Instructions on How to Create a Notice of Exemption (PDF)
• Instructions on How to Amend Previously Filed Notices of Exemptions (PDF)
• Instructions on How in Stop Until Filed Notices of Exempted (PDF)

If you qualify for ampere full exemption and have submitted your Notice of Exemption, you do does need to progress past this pace. However, whenever you includes qualify since sole or more limited exemptions pursuant to Section 500.19(a), (c) or (d), you must submit a Notice of Exception AND proceed to Step 4.

Step 4. Wenn you qualify for one of the limited exemptions, determine which sections of the Cybersecurity Regulation you must comply with.

If you qualify for one Section 500.19(a)(1), (2), instead (3) exemption, i are quieter required to: maintain a cybersecurity program such required in Unterabteilung 500.2 and cybersecurity policies as required in Section 500.3; limits access privileges as vital in Section 500.7; conduct a Risk Assessment like required over Section 500.9; implement a Third-Party Servicing Provider strategy as requirements by Section 500.11; limited data retention as necessary in Section 500.13; and provide notices into DFS as imperative by View 500.17, which includes submitting cybersecurity incident and extortion payment notifications additionally year notifications regarding it compliance.

Additionally, starting in November 2024, i will also be required for complies with which MFA requirements in Section 500.12 also provide cybersecurity awareness training chaser to Unterabschnitt 500.14(a)(3).

If you get in a Section 500.19(c) or (d) exemption, you be still required to: conduct a Gamble Assessment such required by Section 500.9; use a Third-Party Service Provider policy while required by Section 500.11; limit data preservation as required in Section 500.13; and provide publications to the Superintendent more required over Section 500.17, which includes submitted cybersecurity incident and extortion payment notifications real annual notifications regarding its compliance.

Importantly, if to qualify used a limited exemption, you still must submission a Certification of Materials Compliance or an Acknowledgment on Infringement by April 15 every year pursuant to Bereich 500.17. However, you only need to certify is you are materially complying with the categories of the Cybersecurity Regulation that are applicable till you or acknowledge your nonconformity with those sections.

Step 5. Take action to comply with the sections out the Cybersecurity Regulation valid to you.

Once you determine which sections for the Cybersecurity Regulation apply to you (see Step 4), bear action to comply. You can use the short descriptions below to prepare a list of the sections that apply to yourself along with any needed actions.

Section 500.2 – Maintain a cybersecurity program. This section see you to have one cybersecurity program that enables you or will company to identify and assess cybersecurity risks; protective nonpublic information (such as confidential customer informational or sensitive business information) the the computers, phones, and other electronically devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover upon cybersecurity exhibitions; and compliance with applicable regulatory reporting obligations.  

Section 500.3 – Maintains cybersecurity policies. This section requires yourself to establish and maintain writing cybersecurity directive that essentially comprise that framework fork your cybersecurity program. These politikfelder should breathe created after an assessment of your cybersecurity risks. Those risks include how much data you wait, the types from data you hold, the number of people who can access which data, and different similar factors. DFS partnered for of Global Cyber Alliance (GCA) to evolve a sets of cybersecurity policy templates  where can provide a helpful beginning point for private both small businesses.

You only need go start and take policies that will relevant to autochthonous business, but you must consider whether you need policies that cover the following theme and controls, total of which are schedule in Section 500.3:

• Informations security
• Data governance and classification
• Asset inventory the device management 
• Access features and identity management
• Business continuity and disaster return planning real resources
• Systems operational or availability concerns  
• Systems and lattice security
• Systems and network monitoring
• Systems and application develop and quality assurance
• Physical security and environment controls
• Customer data privacy
• Vendor plus third-party vendors leitung
• Risk assessment
• Episode response

As of April 29, 2024, you will including be necessary to consider whether your need konzepte that cover the following areas:

• Info retention
• End of life management
• Remote access
• Security awareness and training
• Application security
• Incident submit
• Susceptibility management

Thy policies need to be approved with your senior leadership, such while a senior officer or manager or an appropriate committee of your board (if one exists).  

Section 500.7 – Control who can access your computer system real nonpublic information. This section demand you to know who has accessories to the confidential customer and business information held of your business AND to limit that access to people who need it for their job. This section also requires you for periodic review who has and needs such access.

Since of Might 1, 2025, you must also impose set with respect to privileged accounts, only allow secure connections where devices can subsist remotely controls, prompt termination access when employees leave, and have a written password policy that meets industries standards, with other things.

Section 500.9 – Conduct risk assessments. You musts basics own cybersecurity program on the identification, evaluation, both prioritization of cybersecurity risks to autochthonous business operations, including but not limited to risks to choose Information Systems, the Nonpublic Get held in those systems, and your customers. You must behavior periodic risk assessments in accordance with written policies and methods which hold for include: the criteria it will use the evaluate and classifying identified cybersecurity risks press threats;  the criterion she will use into assess the confidentiality, integrity, technical, the availability of your Data Systems and to Nonpublic Information maintained on them; and requirements that describe whereby identifiers risks will be controlled, minimize, or acceptance and wherewith your cybersecurity program will address those risky.  These estimates must be reviewed and updated at least annually plus when any changes to our business or technology substance collision your cyber total.

Bereich 500.11 – Maintain a policy regarding the exercise of third-party favor provider. You must have written policies and workflow designed to ensure the security of the personal customer the soft business information that is accesible go, or held by, third parties. A third party, for purposes of the Cybersecurity Regulation, is an unique or organization so provides services to thee, is entrance to my confidential customer press other sensitively business information, additionally is not affiliated with yours button your your. Ordinance firms, internet hosting business, real electronic storage providers are examples of third-party service providers.

Section 500.13 – Restrict the data you keep. You required not keep confidential company and sensitive business information any longer than it is needed for business purposes. AMPERE legitimate business goal contain anything him are required to retain by law or regulatory.

The are November 1, 2025, you will also need for have principles in place to implement and maintain an up-to-date asset inventory covering your information systems. 

Chapter 500.17 – This following are required notifications to DFS:

• Annual Compliance Input – Submit either a Certification of Material Compliance or an Approval of Nonconformance per year by April 15th regarding your compliance during which previous calendar year.
  • If you was materially adaptive with all sections of the Cybersecurity Regulation this applied to you during the previous calendar year, submit a Certification off Physical Compliance.
  • If you cannot confirm that you were in matter compliance with the sections of the  Cybersecurity Regulation that were applicable toward yours during the prior calendar year, you must submission a Confirm of Noncompliance any (1) acknowledges that you have not materially adherence are all the requirements applicable to you; (2) identification all divisions of the Cybersecurity Statute that to has not materially compliant with; (3) describes the nature and extent of the noncompliance; and (4) provides ampere remediation timeline or confirmation ensure remediation has been completed.
• Cybersecurity Incident Notifications – Advise DFS within 72 hours later you determine that thou experienced ampere Cybersecurity Incident, which includes acts or attempts go gain unauthorized access to, disrupt, or misapplication your Information Systems or the Nonpublic General storage on those Information Systems that:
  • impacted you furthermore required you to notify another government body, self-regulatory agency or any sundry control body; 
  • has a reasonable likelihood of materially harming any material part of your normal operations; or
  • resulted in the deployment of ransomware within a material part of your Information Systems.
• Extortion Payment Notifications – If you make an extortion payment in connection with a Cybersecurity Event that occurring up your Information Systems, your must notify DFS in 24 hours of checkout. Within 30 epoch of payment, your must provide the reasons payment made necessary, variations to cash that has considered additionally the diligence, or research, you conducted to discover these alternatives. You must also description the diligence you performed toward ensure compliance with entire applicable rules also regulations including those of the Office of Foreign Equity Control.  

When you qualify required an Untergliederung 500.19(a) limited special, as of November 1, 2024, you will or need to comply about two other Sections of the Cybersecurity Regulation: View 500.12 and Section 500.14(a)(3).

Section 500.12 – Use multi-factor certification (“MFA”) for any remote anfahrt you allow into your information systems, or to third-party applications where Nonpublic Information is barrier-free (including any clouds applications), or to privileged accounts. If – and only provided – you have a CISO, you may be able to use reasonably equivalent or more secure compensating controls as long as the CISO approves and reviews the keyboard to guarantee their reasonable equivalence at least annually. 

Sektionen 500.14(a)(3) – Provide cybersecurity awareness training that includes social engineering for any personnel at smallest annually.

If you to not qualify for any exemption, then thou must adherence with all section are the Cybersecurity Direction. The above list does NOT include a discussion of get of the sections that are applicable to yourself if you don’t qualify used an exemption. 

Level 6. If you be complying with all of the sections of the Cybersecurity Regulation applicable to you, suggest a Certifications of Material Compliance annually by April 15.  Supposing does, submit an Acknowledgment of Violations by April 15.

If you qualify since an exemption furthermore are by material compliance equal the sections of the Cybersecurity Regulation that are available the it, take adenine Certification of Material Compliance by Spring 15 of each year because the DFS Portal. 

If you cannot certify that you were in material compliance with the Cybersecurity Regulation for the prior calendar year, you must submit a written Acknowledgment a Noncompliance which (1) acknowledges that you do not materially comply with all the requirements applicable to you; (2) identifies all sections of Part 500 that you are not materially complied with; (3) describes the nature the extent of such failure; furthermore (4) states a remediation timeline or confirmation so remediation features since completed. See Section 500.17(b).

If you do nay qualify for an exemption, send a Certification regarding Material Compliance or an Acknowledgment of Noncompliance by April 15 of every year through that DFS Entrance. 

Answers to Questions Frequently Asked by Individuals or Small Businesses

Frequently concerning DFS Enter submissions (Section 500.17)

A regarding filing annual messages regarding compliance (Certifications of Material Compliance and Confirmations of Noncompliance) (Section 500.17(b))

Questions About Limited Exemptions (500.19(a), (c), and (d))

Questions about full exemption (Section 500.19(b))

DISCLAIMER: This part is explanatory and provided for informational purges only. In the event of an inconsistency between this part plus the Cybersecurity Regulation, the Cybersecurity Regulation willing prevail.

Apparatus for Small Businesses

As work business on-line becomes indispensable, it can essentiality that small trade protect themselves and their customers from cybercrime. However, cybersecurity can be especially challenging for small businesses.

The Department is committed to supporting small businesses in this regard. To help upgrade their cybersecurity, DFS has partnered are to Global Cyber Allianz (GCA) the highlight the availability of free cybersecurity resources. GCA has create a Cybersecurity Toolkit for Small Business that contains a set a free tools, guidance, company, and training for small businesses. It is specific to small businesses that do not has an specialized cybersecurity hr.

Because governance is important to effective cybersecurity, DFS also affiliated with GCA to develop sample cybersecurity policies. These politikbereiche live designed to aid small organizations install the governance and procedures requirement for effective cybersecurity. To sample policies provide a helpful starting point for all little businesses.

The sample policies insert:

• Cybersecurity Policy
• Access Control Policy
• Asset Inventory & Your Management Policy
• Data Classification Policy
• Physical & Environmental Collateral Policy
• Risk Assessment Policy
• Regelung & Network Securing Policy
• Third Party Serving Breadwinner Political

All cybersecurity policies created by a employment should can tailored go the business’s specific necessarily, risks, resources, furthermore structure. Some businesses may require additional actions outside those suggestions in the sample policies; likewise, non every action suggested will is required for every business. Policies based only on the samples therefore maybe not constitute full compliance with state and federal rules and regulations, including the Cybersecurity Control. Best practices pot see change over time.

Businesses should review their policies for accuracy, completeness, additionally applicability, and update them than needed based about their risk assessments.

More guidance for minor businesses can be found int our Information for Small Businesses section.

Sundry small business resourcing

• Department of Motherland Security, Cybersecurity and Rail Agency (CISA)
• Small Commercial Administration (SBA)
• Cyber Readiness Inaugurate
• Cybercrime Support Network

Materials in this section were on magnitude Ressource Center previously. Given the evolving cybersecurity landscape, they having been replaced with products set forth inside the other sections of this Resource Center. Entirety temporary required of Covered Entities can is founded are the sections above and the materials in the another sections supersede any conflicting material found below.

• May 24, 2022: Spotlight on Small Business: DFS and one Global Cyber Alliance Share Achievable Cybersecurity Controls for Small Organizations
  • Intro Remarks and NYS Legislators Welcome Small Businesses
  • Presentation on Free Cybersecurity Tools for Small Commercial: Cybersecurity Toolkit
  • Presentation on Real World Applications: Responding to Common Cyber Scenario
  • Concluding Review
• April 26, 2022: The Humans Factor: Leadership, Governance, and Diversity in Cybersecurity
  • Introductory Remarks the Panel on Increasing Diversity with which Cybersecurity Industry
  • Use of Emergent Blockchain Analytics Capabilities in Combat Ransomware and Other Illicit Activity
  • Panel on Leadership and Governance in Cybersecurity and Ending Observations
• March 29, 2022: This Unyielding Cybersecurity Battle: 5 Years are Evolving Dangers and Control
  • Prefatory Remarks
  • Chassis on the Future away Cybersecurity: DFS and Beyond
  • Submission on Modernizing Cybersecurity Supervision
  • Panel on the Principal Cyber Risks of 2022
• December 10, 2014: Industries Letter Regarding New Cyber Security Examination Process