Introduction
On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”). Part 500 was amended for the first time in April 2020 to change the date of the required annual certification filing from February 15 of each year to April 15.
Since the regulation was adopted, the cybersecurity landscape has changed tremendously as threat actors have become more sophisticated and more prevalent, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate, and additional cybersecurity controls are available to manage cyber risk at reasonable cost. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves. As a result, Part 500 was amended again, effective November 1, 2023.
Notably, DFS-regulated individuals and entities required to comply with the amended Cybersecurity Regulation (referred to below as “Covered Entities”) continue to include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.
This Resource Center is designed to help explain how to comply with the Cybersecurity Regulation. Among other things, it provides links to industry guidance, answers frequently asked questions (referred to below as “FAQs”) and provides detailed information on how to submit cybersecurity-related filings, including notifications to DFS regarding compliance, cybersecurity incidents, and exemption status.
This Resource Center is frequently updated, and you may sign up for email updates on important regulatory guidance, cybersecurity alerts, and other information related to cybersecurity in the financial services sector by going to the DFS Email Updates Signup Page and subscribing to Cybersecurity Updates. These emails will come from the email address [email protected].
Questions regarding the Cybersecurity Regulation may be sent to [email protected].
Amended Cybersecurity Regulation
On November 1, 2023, DFS announced amendments to Cybersecurity Regulation, 23 NYCRR Part 500. (See the final adopted regulatory documents on the Regulatory Activity - Financial Services Law page.)
Training Resources
To help regulated entities plan for compliance, the Department will host a series of webinars to provide an overview of the amended Cybersecurity Regulation.
| Date | Overview | Registration Link |
|---|---|---|
| Wed., Nov. 15, 2023 (2:00 – 3:30 PM) | General DFS Training on Part 500 Amendments | https://on.ny.gov/500training1115 |
| Thu., Nov. 30, 2023 (11:30 AM – 1:00 PM) | General DFS Training on Part 500 Amendments | https://on.ny.gov/500training1130 |
| Dec. 7, 2023 (11:00 AM – 12:30 PM) | General DFS Training on Part 500 Amendments | https://on.ny.gov/500training1207 |
Each training session has limited availability, so attendees are encouraged to register in advance. A recording of this training will be made available here shortly.
Additional sessions for insurance producers and mortgage loan originators will be held in the months ahead. Additional trainings and recorded training sessions will be posted here in the near future.
Download the Cybersecurity Regulation Training Presentation (PDF)
Key Compliance Dates
The amended regulation’s new compliance requirements will take effect in phases. Unless otherwise specified, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024. Changes to reporting requirements take effect one month after publication of the amended regulation, or December 1, 2023. For certain other requirements, the regulation provides for up to one year, 18 months, or two years to come into compliance.
The below Cybersecurity Implementation Timelines outline key compliances dates for each of the categories of businesses impacted by the amended regulation:
Industry Guidance
Recent Updates (past 6 months)
| Subject | Date |
|---|---|
| Consent Order to SA Stone Wealth Management Inc. | 2023-07-07 |
| MOVEit Transfer Vulnerability | 2023-06-02 |
| Consent Order to OneMain Financial Group LLC (related press release) | 2023-05-24 |
| Consent Order to bitFlyer USA, Inc. | 2023-05-02 |
Industry Letters
- See all Industry Letters
Alerts
Cybersecurity-Related Reports and Publications
| Subject | Date |
|---|---|
| Report on the SolarWinds Cyber Espionage Attack and Institutions’ Response (related press release) | April 2021 |
| Twitter Investigation Report (related press release) | October 2020 |
| Update on Cybersecurity in the Banking Sector: Third Party Service Providers | April 2015 |
| Report on Cybersecurity in the Insurance Sector | February 2015 |
| Report on Cybersecurity in the Banking Sector | May 2014 |
- See all Reports and Publications
Cybersecurity-Related Settlements
See all DFS Enforcement Actions
FAQs
Answers to frequently asked questions concerning the Cybersecurity Regulation are below. Capitalized terms used below have the meanings assigned to them in the definition section of Part 500. “Section” references are to sections of the Cybersecurity Regulation unless otherwise stated. The Department may revise or update the below information from time to time, as appropriate.
500.1 Definitions
(e) Covered Entities
Yes. Both HMOs and CCRCs are Covered Entities. Pursuant to the Public Health Law, HMOs must receive authorization and prior approval of the forms they use and the rates they charge for comprehensive health insurance in New York. The Public Health Law subjects HMOs to DFS authority by making provisions of the Insurance Law applicable to them. CCRCs are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by DFS. The Public Health Law also subjects HMOs and CCRCs to the examination authority of the Department. As this authorization is fundamental to the ability to conduct their businesses, HMOs and CCRCs are Covered Entities because they are "operating under or required to operate under" DFS authorizations pursuant to the Insurance Law, and whether or not they are regulated by another governmental entity is irrelevant to this determination.
Under N.Y. Banking Law § 590(2)(b-1), an Exempt Mortgage Loan Servicer needs to notify DFS that it will act as a servicer. Since the notification is not an authorization from the Department, an exempt Mortgage Loan Servicer is not a Covered Entity under 500.1(e). However, if an Exempt Mortgage Loan Servicer also holds a license, registration, or received approval under the provisions of Part 418.2(e), it will be considered a Covered Entity and required to comply with the Cybersecurity Regulation. Given the increasing cybersecurity risks that all financial services organizations face, DFS strongly encourages all financial institutions, including those Exempt Mortgage Loan Servicers that are not Covered Entities, to adopt cybersecurity protections consistent with those required by Part 500.
Yes. Not-for-profit mortgage brokers are Covered Entities. 3 NYCRR Part 39.4(e) provides that Mortgage Brokers "which seek exemption may submit a letter application,” along “with such information as may be prescribed by” the Superintendent, to the Mortgage Banking unit of the Department at the address set forth in section 1.1 of Supervisory Policy G 1. As this authorization is necessary for a not-for-profit Mortgage Broker, it is a Covered Entity under Part 500.
Yes, they are considered Covered Entities and, as such, must comply with Part 500. Only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office, are subject to the applicable requirements of Part 500, whether through the branch's, agency's, or representative office's development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.
500.2 Cybersecurity Program
A Covered Entity may adopt an Affiliate's cybersecurity program in whole or in part as provided for in Section 500.2(d), as long as the Covered Entity's overall cybersecurity program meets all requirements of Part 500. The Covered Entity remains responsible for full compliance with the requirements of Part 500. To the extent a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department.
500.4 Cybersecurity Governance
To the extent a Covered Entity utilizes an employee of an Affiliate or Third-Party Service Provider to serve as the Covered Entity's CISO for purposes of Section 500.4(a), the Covered Entity retains full responsibility for compliance with the requirements of Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part.
Yes. The Senior Governing Body is defined in 500.1(q) and includes an appropriate committee of the board of directors.
500.5 Vulnerability Management
Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of Section 500.5.
*Changes to 500.5 will be effective as of April 29, 2024. At that point, the requirement regarding continuous monitoring will no longer appear in Section 500.5 and this FAQ will be removed.
500.9 Risk Assessment
The Risk Assessment required by Sections 500.9 & 500.2(b) is the foundation of the comprehensive cybersecurity program required by DFS’s Cybersecurity Regulation, and a cyber assessment framework is a useful component of a comprehensive Risk Assessment. DFS does not require a specific standard or framework for use in the risk assessment process. Rather, DFS expects Covered Entities to use a framework and methodology that best suits their risk and operations. Among the widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.
Yes. Section 500.9(a) states that Risk Assessments “shall be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the Covered Entity’s cyber risk.” Furthermore, Section 500.8(b) states that the institution’s application security “procedures, guidelines and standards shall be reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity at least annually.” Accordingly, when a Covered Entity is acquiring or merging with a new company, the Covered Entity will need to do a factual analysis of how the requirements of Part 500 apply to that particular acquisition. Some important considerations include, but are not limited to, the type of business the acquired company engages in, the target company’s cybersecurity risks including its access to Nonpublic Information, the safety and soundness of the Covered Entity, and the integration of data systems. The Department emphasizes that Covered Entities must conduct thorough due diligence and prioritize cybersecurity when considering any new acquisitions.
When a subsidiary or other Affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies (see Sections 500.9, 500.2 and 500.3, respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances.
Under Part 500, the Covered Entity is responsible for compliance with respect to its Information Systems. Therefore, the Covered Entity must evaluate and address any risks that a BHC (or other Affiliate of the Covered Entity) presents to the Covered Entity’s Information Systems and/or Nonpublic Information. For example, if a Covered Entity shares its data, including Nonpublic Information, and Information Systems with a BHC, the Covered Entity must ensure that such shared data and systems are protected. Specifically, the Covered Entity must evaluate and address in its Risk Assessment, cybersecurity program and cybersecurity policies the risks that the BHC poses with respect to such shared Information Systems and/or Nonpublic Information. In the same manner, a Covered Entity must also evaluate and address other cybersecurity risks that a BHC may pose to it. A Covered Entity will ultimately be held responsible for protecting its Information Systems and Nonpublic Information that are shared with a BHC or that otherwise may be subjected to risk by a BHC. Other regulatory requirements may also apply, depending on the individual facts and circumstances.
500.11 Third-Party Service Provider Security Policy
No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third-Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third-Party Service Provider poses to their Nonpublic Information and Information Systems and effectively address those risks.
Section 500.11, among other things, generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third-Party Service Providers. Section 500.11(b) requires a Covered Entity to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, Section 500.11(b) requires Covered Entities to make a Risk Assessment regarding the appropriate controls for Third-Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.
Yes. If an entity is both a Covered Entity and a Third-Party Service Provider, the entity is responsible for meeting the requirements of Part 500 as a Covered Entity.
When a Covered Entity is using an independent UR agent, that Covered Entity should be treating them as Third-Party Service Providers (“TPSP”). Since UR agents will be receiving Nonpublic Information from that Covered Entity, that Covered Entity must assess the risks each TPSP poses to their data and Information Systems and effectively address those risks. The Covered Entity will ultimately be responsible for ensuring that their data and systems are protected.
500.12 Multi-Factor Authentication
Based on its Risk Assessment, each Covered Entity must use effective controls, which may include MFA or risk-based authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. MFA must be used for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.
Starting on November 1, 2025, a Covered Entity will be required to use MFA for any individual accessing any Information Systems of the Covered Entity, regardless of location, type of user, and type of information contained on the information system being accessed, unless the Covered Entity has a CISO that approves in writing the use of reasonably equivalent or more secure compensating controls (and reviews this determination periodically but at a minimum annually), or the Covered Entity qualifies for a limited exemption pursuant to Section 500.19(a), in which case MFA shall only be required for (1) remote access to the Covered Entity’s Information Systems, (2) remote access to third-party applications, including but not limited to those that are cloud based, from which Nonpublic Information is accessible, and (3) all privileged accounts other than service accounts that prohibit interactive login. If a Covered Entity that is exempt under Section 500.19(a) also has a CISO, the CISO may also grant the exception described above.
Yes. Under Section 500.12(b), MFA is required when accessing internal networks from an external network unless the Covered Entity’s Chief Information Security Officer has approved in writing the use of reasonably equivalent or more secure access controls. Internal networks include email, document hosting, and related services whether on-premises or in the cloud such as, for example, O365 and G-Suite. These services contain Nonpublic Information that Covered Entities are required to protect.
500.17 Notices to Superintendent
500.17(a): Cybersecurity Incidents
Section 500.17(a) requires Covered Entities to notify DFS as promptly as possible but in no event later than 72 hours after determining that a Cybersecurity Incident has occurred at the Covered Entity, its Affiliates, or a Third-Party Service Provider.
A Cybersecurity Incident is a Cybersecurity Event that (1) impacts the Covered Entity and requires the Covered Entity to notify any government body, self-regulatory agency or any other supervisory body; (2) has a reasonable likelihood of materially harming any material part of the normal operation(s) if the Covered Entity; or (3) results in the deployment of ransomware within a material part of the Covered Entity’s information system. (Section 500.1(g)) A Cybersecurity Event is any act or attempt, whether successful or not, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system. (Section 500.1(d))
An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful. The Department recognizes that Covered Entities are regularly subject to many attempts to gain unauthorized access to, disrupt or misuse Information Systems and the information stored on them, and that many of these attempts are thwarted by the Covered Entities’ cybersecurity programs. The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under Section 500.17(a) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.
The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cybersecurity programs, and Covered Entities are encouraged to continually develop their threat assessment programs. Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cybersecurity generally across the industries regulated by the Department. Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.
The Department recognizes that Covered Entities’ focus should be on preventing cybersecurity attacks and improving systems to protect the institution and its customers. The Department’s notice requirement is intended to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries. The Department trusts that Covered Entities will exercise appropriate judgment as to which unsuccessful attacks must be reported and does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.
Yes. Section 500.17(a) must be read in combination with other laws and regulations that apply to consumer privacy. Under Section 500.17(a)(1), a Covered Entity must notify the Department of any Cybersecurity Event for which notice is required to be provided to “any government body, self-regulatory agency or any other supervisory body,” which includes many Cybersecurity Events that involve consumer harm, whether actual or potential. To offer just one example, New York’s information security breach and notification law requires notices to affected consumers and to certain government bodies following a data breach. Under Section 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to the Department.
In addition, under Section 500.17(a), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s)” of the Covered Entity. To the extent this type of Cybersecurity Event involves material consumer harm, it is covered by this provision.
Yes. Section 500.17(a) requires a Covered Entity that has been impacted by a Cybersecurity Event that occurred at one of its Third-Party Service Providers to notify DFS if the Covered Entity is also required to notify any government body, self-regulatory agency, or any other supervisory body. This is required of the Covered Entity even if the Third-Party Service Provider also notifies DFS. Reporting Cybersecurity Events such as these enables the Department to more rapidly identify techniques used by attackers and alert industry, respond quickly to new threats, and continue to protect consumers and the financial services industry.
New York’s information security breach and notification law (also known as the SHIELD ACT, General Business Law Section 899-aa), requires notice to consumers who have been affected by Cybersecurity Incidents. Further, under Part 500, a Covered Entity’s cybersecurity program and policy must address, to the extent applicable, consumer data privacy and other consumer protection issues. Additionally, Part 500 requires that Covered Entities address as part of their incident response plans external communications in the aftermath of a breach, which includes communication with affected customers. Thus, a Covered Entity’s cybersecurity program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of Part 500.
500.17(b): Certification of Compliance
The annual notification of compliance that is required by Section 500.17(b) must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity.
No. Each Covered Entity is required to notify DFS of its own compliance with Part 500 annually.
You do not need to send supporting documentation if you are submitting a Certification of Material Compliance. If you are submitting an Acknowledgment of Noncompliance, you must identify all sections of the Cybersecurity Regulation you did not materially comply with, describe the nature and extent of such noncompliance, and provide a remediation timeline or confirmation that remediation has been completed. No additional explanatory or other materials are required as part of these submissions.
The Cybersecurity Regulation does require, however, that Covered Entities maintain records, schedules, and data that support their annual notification – whether a certification or an acknowledgment -- for 5 years and provide such information to the Department upon request. The information you must keep includes, but is not limited to, the identification of all areas, systems, and processes that require or required material improvement, updating or redesign, remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.
A Covered Entity may not submit a certification under Section 500.17(b) unless the Covered Entity was in material compliance with all applicable requirements of Part 500 for the calendar year for which it is certifying. Staring with notifications due by April 15, 2024, a Covered Entity that was not in material compliance with the Cybersecurity Regulation for the preceding calendar year must file an Acknowledgment of Noncompliance pursuant to Section 500.17(b)(1)(ii).
It depends on the exemption for which the Covered Entity qualifies. If it qualifies for a full exemption pursuant to Section 500.19(b), (e), or (g), and submitted a Notice of Exemption, the Covered Entity does not need to submit an annual notification regarding its compliance. If, however, the Covered Entity qualifies for a limited exemption and filed a Notice of Exemption pursuant to Sections 500.19(a), (c) or (d), it does need to submit an annual notification regarding its compliance.
If the Covered Entity filed a Notice of Exemption under sections 500.19(a), (c) or (d), it is still required to file an annual notification regarding its compliance with the sections of the Cybersecurity Regulation that apply to it as specified in the regulation. Consequently, if a Covered Entity filed for an exemption under subsection (a) of Section 500.19, it is still required to: maintain a cybersecurity program as required in Section 500.2; maintain a cybersecurity policy as required in Section 500.3; limit access privileges as required in Section 500.7; conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to DFS as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.
Additionally, starting in November 2024, Covered Entities qualifying for a Section 500.19(a) exemption will also be required to comply with the Multi-Factor Authentication requirements in Section 500.12 and provide cybersecurity awareness training pursuant to Section 500.14(a)(3).
If you filed for an exemption under subsections (c) or (d) of Section 500.19, you are still required to: conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to the Superintendent as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.
Yes. Covered Entities that have more than one license need to submit separate annual notifications of compliance for each license. This includes licenses for entities and licenses for individuals.
All Covered Entities, including non-residents, are required to submit notifications of their compliance unless they qualify for a full exemption pursuant to Section 500.19(b), (e), or (f) and have filed a Notice of Exemption.
The following inactive licensees who do not otherwise qualify as a Covered Entity (for example, who do not hold another type of license) are exempt from the annual requirement to notify DFS regarding their compliance:
- inactive individual insurance brokers (subject to Insurance Law section 2104) who (a) do not maintain, control or use, even indirectly, any Information Systems and do not have any Nonpublic Information, and (b) have not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year;
- individual insurance agents placed in inactive status under Insurance Law §2103; and
- individual mortgage loan originators placed in inactive status under Banking Law §599-i.
If none of the above apply to your situation, then as long as you are licensed by DFS, you need to comply with the Cybersecurity Regulation. However, you may qualify for the limited exemption pursuant to Section 500.19(c) which applies to any regulated entity or licensed Person that does not maintain any Information Systems and does not possess any Nonpublic Information, including information concerning former or potential customers. Even if you do qualify, Section 500.19(c) is a limited exemption that still requires compliance with certain provisions of the regulation (see table below), including the requirement to submit an annual Certification of Material Compliance or an Acknowledgment of Noncompliance.
500.19 Exemptions
Under Section 500.19(a)(1), which is also referred to as the Small Business Exemption, smaller Covered Entities are exempted from certain enumerated requirements of Part 500 when a Covered Entity and all of its Affiliates combined have a total of fewer than 20 employees and independent contractors. When determining whether a Covered Entity and its Affiliates have fewer than 20 employees and independent contractors, all of the Covered Entity’s employees and independent contractors and all of the Covered Entity’s Affiliate’s employees and independent contractors must be counted regardless of where any of the employees and independent contractors are located.
Note that Affiliate is defined very broadly in Section 500.1 as any individual or entity, including but not limited to any partnership, corporation, branch, agency or association, that controls, is controlled by, or is under common control with any other individual or entity, including but not limited to any partnership, corporation, branch, agency or association. For purposes of this definition, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.
Yes, but a Covered Entity that qualifies for a limited exemption does not have to comply with every section of the Cybersecurity Regulation. Covered Entities that qualify for the limited exemption in Section 500.19(a) do not have to comply with Sections 500.4, 500.5, 500.6, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16; those that qualify for a limited exemption in Section 500.19(c) do not have to comply with Sections 500.2, 500.3, 500.4, 500.5, 500.6, 500.7, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16; and those that qualify for the limited exemption in Section 500.19(d) do not have to comply with Sections 500.2, 500.3, 500.4, 500.5, 500.6, 500.7, 500.8, 500.10, 500.12, 500.14, 500.15 and 500.16. Notably, all of the limited exemptions require qualifying Covered Entities to submit an annual notification regarding their compliance with Part 500, but they only need to notify DFS about their compliance with the sections applicable to them based on their exemption.
Please note that, as of November 1, 2024, Covered Entities qualifying for the exemption in 500.19(a) will not be exempt from Sections 500.12 and 500.14(a)(3). That means these Covered Entities will have to comply by November 1, 2024 with the MFA requirements in Section 500.12 and the cybersecurity awareness training requirements in Section 500.14(a)(3)
If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must comply with some sections of the Cybersecurity Regulation as listed in the tables below.
This table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a
If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must comply with some sections of the Cybersecurity Regulation as listed in the tables below.
This table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a
| Exemptions: | Compliance Requirements: |
| 500.4 Cybersecurity governance | 500.2 Cybersecurity program |
| 500.5 Vulnerability management | 500.3 Cybersecurity policy |
| 500.6 Audit trail | 500.7 Access privileges and management |
| 500.8 Application security | 500.9 Risk assessment |
| 500.10 Cybersecurity personnel and intelligence | 500.11 Third-party service provider security policy |
| 500.14(a)(1) Monitor user activity | 500.12 Multi-factor authentication (as of November 1, 2024) |
| 500.14(a)(2) Implement risk-based controls to protect against malicious code | 500.13 Data retention requirements (as of November 1, 2025 this will also include asset management requirements) |
| 500.14(b) Monitoring and training – for Class A companies | 500.14(a)(3) Provide cybersecurity awareness training (as of November 1, 2024) |
| 500.15 Encryption of nonpublic information | 500.17 Notices to superintendent |
| 500.16 Incident response and business continuity management |
This table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(c) or (d) exemption.
| Exemptions: | Compliance Requirements: |
| 500.2 Cybersecurity program | 500.9 Risk assessment |
| 500.3 Cybersecurity policy | 500.11 Third-party service provider security policy |
| 500.4 Cybersecurity governance | 500.13 Access management and data retention requirements (as of November 1, 2025 this will also include asset management requirements) |
| 500.5 Vulnerability management | 500.17 Notices to superintendent |
| 500.6 Audit trail | |
| 500.7 Access privileges and management | |
| 500.8 Application security | |
| 500.10 Cybersecurity personnel and intelligence | |
| 500.12 Multi-factor authentication | |
| 500.14 Monitoring and training | |
| 500.15 Encryption of nonpublic information | |
| 500.16 Incident response and business continuity management |
A Covered Entity is entitled to a Section 500.19(b) exemption in such cases only if it is an employee, agent, representative, or designee that is fully covered by the cybersecurity program of one of the Covered Entities for which it is an employee, agent, representative or designee. In other words, if a Covered Entity is an employee, agent, representative or designee of more than one other Covered Entity, it will only qualify for a Section 500.19(b) exemption if the cybersecurity program of at least one of those Covered Entities fully covers all aspects of its business.
When submitting the notice for a Section 19(b) exemption, a Covered Entity must provide the name of the Covered Entity whose cybersecurity program its business is covered by, along with the name of an individual at that Covered Entity who can verify the coverage.
Yes. Section 500.19 subsections (a) through (e) set forth exemptions from different requirements of Part 500. Section 500.19(f) requires Covered Entities that qualify for any of those exemptions to submit a Notice of Exemption within 30 days of determining that it so qualifies.
Yes. If there are changes, the Covered Entity should amend its Notice of Exemption in the DFS Portal, where there is an option to choose “amend exemption.”
The Department also emphasizes that Notices of Exemption should be filed electronically via the DFS Portal. A Covered Entity should use the account it used to file its original Notice of Exemption or, if the Covered Entity’s exemption was submitted as part of a bulk filing, create a new account to amend its exemption.
If a Covered Entity ceases to qualify for a previously claimed exemption, the Covered Entity should, as soon as reasonably possible, notify the Department through the DFS Portal by terminating its previously filed exemption. Under Section 500.19(h), a Covered Entity has 180 days to comply with all applicable requirements of Part 500 once it ceases to qualify for an exemption.
By permission, the Department will approve the filing by certain Covered Entities of Notices of Exemption on behalf of their employees or captive agents who are also Covered Entities. This option, called “Bulk Filing,” will only be available if 50 or more employees or captive agents qualify for the same exemption.
A Covered Entity that wants to use the Bulk Filing process should go to the Cybersecurity-related Submissions section on this site to find information on how to do so.
Exceptions/Deferrals to other regulators
A CTF that is administered by another Covered Entity can rely on the cybersecurity program of that Covered Entity, as long as that cybersecurity program conforms with Part 500 and fully protects the CTF. Under these circumstances, the Covered Entity must submit a Certification of Compliance with the Department. If the CTF is administered by a national bank, then the Department will defer to that bank’s primary regulator to ensure that the CTF has a proper cybersecurity program. Further, to protect markets, the Department strongly encourages all financial entities, including CTFs administered by national banks, to adopt cybersecurity protections consistent with the safeguards and protections of Part 500.
New York is a signatory to the Nationwide Cooperative Agreement, revised as of December 9, 1997 (the “Agreement”), an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Article V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches. In keeping with the Agreement’s goals of interstate coordination and cooperation with respect to the supervision and examination of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination. DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York. With respect to the Cybersecurity Regulation, given the ever-increasing cybersecurity risks financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cybersecurity protections consistent with the safeguards and protections of Part 500.
Part 500 Exemptions
Covered Entities may not have to comply with some or all of the Cybersecurity Regulation’s requirements if they qualify for an exemption. There are two types of exemptions: full and limited, both of which are in section 500.19. This section first explains what qualifies a Covered Entity for an exemption, then describes the cybersecurity requirements a Covered Entity must comply with if it qualifies for an exemption, and finally provides directions on how to submit notifications to the Department regarding a Covered Entity’s exempt status.
Qualifications for Full Exemptions
Three subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).
To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative, or designee of another DFS-regulated business and all aspects of the Covered Entity’s business must be fully covered by the Cybersecurity Program of the other DFS-regulated business.
To qualify for a 500.19(e) exemption, a Covered Entity must be an inactive individual insurance broker (subject to Insurance Law section 2104) who (1) does not maintain, control or use, even indirectly, any Information Systems and does not have any Nonpublic Information; (2) has not, for anything of value, acted or aided in any manner in soliciting, negotiating, or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year; and (3) does not otherwise qualify as a Covered Entity (for example, does not hold another type of license). For exact language, see 500.19(e).
To qualify for a 500.19(g) exemption, a Covered Entity must not otherwise qualify as a Covered Entity by virtue of another license and must be (1) a charitable annuity society, (2) a risk retention group not chartered in NY, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) an individual mortgage loan originator placed in inactive status under Banking Law §599-i, or (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. For exact language, see 500.19(g).
Qualifications for Limited Exemptions
Three subsections of section 500.19 provide for limited exemptions: 500.19(a), 500.19(c), and 500.19(d).
There are three ways a Covered Entity may qualify for a 500.19(a) limited exemption:
- A Covered Entity and its Affiliates combined must have fewer than 20 employees and independent contractors (500.19(a)(1));
- A Covered Entity must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from all of its business operations combined with its Affiliates’ business operations in New York State (500.19(a)(2)); or
- A Covered Entity must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.
Affiliate, for purposes of the Cybersecurity Regulation and determining whether a Covered Entity qualifies for any of the 500.19(a) exemptions, is defined very broadly as “any person that controls, is controlled by, or is under common control with another person.” Control here “means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.” (500.1(a))
To qualify for a 500.19(c) limited exemption, a Covered Entity must not directly or indirectly operate, maintain, utilize, or control any Information Systems, and must not be required to, directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information.
To qualify for a 500.19(d) limited exemption, a Covered Entity must be a captive insurance company that does not and is not required to directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information other than information relating to its corporate parent company or affiliates.
Cybersecurity Requirements for Exempt Covered Entities
If a Covered Entity qualifies for a full exemption, it must submit a Notice of Exemption to DFS. As long as it remains qualified for a full exemption, it does not have to comply with any other section of the Cybersecurity Regulation.
If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must submit a Notice of Exemption, comply with some sections of the Cybersecurity Regulation (which sections depend on the type of limited exemption and are listed in the table below), and submit annually a notice regarding the Covered Entity’s compliance with Part 500.
The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(a) exemption.
| Exemptions: | Compliance Requirements: |
| 500.4 Cybersecurity governance | 500.2 Cybersecurity program |
| 500.5 Vulnerability management | 500.3 Cybersecurity policy |
| 500.6 Audit trail | 500.7 Access privileges and management |
| 500.8 Application security | 500.9 Risk assessment |
| 500.10 Cybersecurity personnel and intelligence | 500.11 Third-party service provider security policy |
| 500.14(a)(1) Monitor user activity | 500.12 Multi-factor authentication (as of November 1, 2024) |
| 500.14(a)(2) Implement risk-based controls to protect against malicious code | 500.13 Data retention requirements (as of November 1, 2025, this will also include asset management requirements) |
| 500.14(b) Monitoring and training – for Class A companies | 500.14(a)(3) Provide cybersecurity awareness training (as of November 1, 2024) |
| 500.15 Encryption of nonpublic information | 500.17 Notices to superintendent |
| 500.16 Incident response and business continuity management |
The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(c) or (d) exemption.
| Exemptions: | Compliance Requirements: |
| 500.2 Cybersecurity program | 500.9 Risk assessment |
| 500.3 Cybersecurity policy | 500.11 Third-party service provider security policy |
| 500.4 Cybersecurity governance | 500.13 Access management and data retention requirements (as of November 1, 2025, this will also include asset management requirements) |
| 500.5 Vulnerability management | 500.17 Notices to superintendent |
| 500.6 Audit trail | |
| 500.7 Access privileges and management | |
| 500.8 Application security | |
| 500.10 Cybersecurity personnel and intelligence | |
| 500.12 Multi-factor authentication | |
| 500.14 Monitoring and training | |
| 500.15 Encryption of nonpublic information | |
| 500.16 Incident response and business continuity management |
Submitting Notice of Exemption Regarding Exempt Status
Covered Entities that have determined they qualify for an exemption should submit a Notice of Exemption within 30 days of making that determination. 500.19(f). Some Covered Entities qualify for more than one exemption, and they can indicate that on their Notice of Exemption.
Covered Entities must submit their Notices of Exemption through the DFS Portal. Detailed instructions for making this submission can be found in the Instructions on How to File a Notice of Exemption (PDF).
Amending a Filed Exemption
If a Covered Entity no longer qualifies for an exemption, it should amend or terminate its Notice of Exemption within 30 days. A Covered Entity should amend its Notice of Exemption when its qualifications for an exemption change, but it still qualifies for at least one exemption. Covered Entities must amend their Notices of Exemption through the DFS Portal. Detailed instructions for amending exemption status can be found in the Instructions on How to Amend Previously Filed Notices of Exemptions (PDF).
Terminating a Filed Exemption
A Covered Entity that no longer qualifies for any exemption must terminate their exemption as soon as reasonably possible after they no longer qualify. No matter when the termination is submitted, however, the Covered Entity has 180 days from the date they are no longer qualified to become fully compliant with the Cybersecurity Regulation. Covered Entities must terminate their Notices of Exemption through the DFS Portal. Detailed instructions for notifying DFS that a Covered Entity no longer qualifies for an exemption can be found in the Instructions on How to Terminate Previously Filed Notices of Exemption (PDF).
Bulk Exemption Submissions
Covered Entities that employ 50 or more individual Covered Entities that qualify for the same exemption may file exemptions on behalf of those employees through the bulk submission process.
Covered Entities that qualify and would like access to use the bulk submission process should email the Department at [email protected] from the email address associated with their DFS Portal account, and the Department will send further instructions. The submitter will need to provide their name, DFS identification number, type of license, and email address for every Covered Entity on whose behalf they are submitting. The Covered Entity using the bulk submission process will be able to add and terminate exemptions as their employees’ employment and exemption status changes.
Covered Entities that have their Notice of Exemption filed as part of a bulk filing will receive an email from DFS confirming the filing. The email will include a receipt number and list the exemption(s) filed. Covered Entities must retain a copy of this receipt number for future reference as it will be the only receipt you will get from DFS regarding the submission.
Please note that Covered Entities are ultimately responsible for ensuring their compliance with Part 500. Therefore, a Covered Entity must ensure that either their employer or they notify the Department of any changes in status.
Submission Confirmation
After each submission is complete, the submitter will receive an email that includes a receipt number. The email receipt is the only confirmation of the submission that the submitter will receive. The receipt number is an important piece of information that should be kept by the Covered Entity. Covered Entities may need their receipt numbers to renew their licenses.
Submit a Compliance Filing
Starting in 2024, Covered Entities will continue to be required to submit an annual notice regarding their compliance with Part 500, but will have the choice of submitting either a Certification of Material Compliance or an Acknowledgment of Noncompliance. Section 500.17(b). All Covered Entities that are not exempt from the requirement to comply with 500.17 must file one or the other each year by April 15 regarding their compliance during the previous calendar year. Covered Entities that qualify for a limited exemption pursuant to 500.19(a), (c), or (d) are required to submit one of these annual notifications by April 15 as well, but they only have to certify compliance or acknowledge noncompliance with the sections from which they are not exempt.
Annual notifications regarding compliance for the calendar year 2023 are due by April 15, 2024. They must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity. Covered Entities may submit these notifications starting on January 1, 2024.
Covered Entities that have more than one license must file separate annual notifications for each license they hold. Covered Entities must keep all data and documentation supporting their annual notifications for 5 years and provide that information to the Department upon request. 500.17(b)(3).
Certification of Material Compliance
Covered Entities that were materially compliant with all sections of the Cybersecurity Regulation that applied to it during the previous calendar year must submit a Certification of Material Compliance. To submit a certification, please go to the DFS Portal and follow the Instructions on How to File a Certification of Material Compliance (PDF).
Acknowledgment of Noncompliance
If a Covered Entity cannot certify that it was in material compliance with the Cybersecurity Regulation for the prior calendar year, it must file a written Acknowledgment of Noncompliance which (1) acknowledges that the Covered Entity did not materially comply with all the requirements applicable to it; (2) identifies all sections of Part 500 that the Covered Entity has not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. 500.17(b). To submit an acknowledgment, please go to the DFS Portal and follow the Instructions on How to File an Acknowledgment of Noncompliance, which will be available soon.
Report a Cybersecurity Incident
Covered Entities must notify the Department of a Cybersecurity Incident as promptly as possible but in no event later than 72 hours after determining that a Cybersecurity Incident has occurred at the covered entity, its affiliates, or a third-party service provider. 500.17(a).
A Cybersecurity Incident is any act or attempt, whether successful or not, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system that:
- impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
- has a reasonable likelihood of materially harming any material part of the normal operation(s) if the covered entity; or
- results in the deployment of ransomware within a material part of the covered entity’s information system. 500.1(f) and (g)
Covered Entities must report a Cybersecurity Incident to DFS through the DFS Portal. To ensure that reports are matched to the correct individual or entity, the Portal requires the submitter to use an identifying number. An identifying number can be a NYS License number, NAIC/NY Entity number, NMLS number, or Institution number. The DFS Portal contains a look-up feature for submitters who do not know any of their identifying numbers. To notify DFS of an extortion payment, please go to the DFS Portal and follow the Instructions on How to Report a Cybersecurity Incident (PDF).
Report an Extortion Payment
Unfortunately, ransomware attacks continue to threaten financial services companies and their customers. DFS, like the FBI and other regulators, recommends against paying ransoms. While Covered Entities are not prohibited from making such payments, as of December 1, 2023, a Covered Entity that has made an extortion payment in connection with a cybersecurity event that occurred on its Information Systems must file a Notice of Extortion Payment within 24 hours of payment. Within 30 days of payment, the Covered Entity will be required to provide the reasons payment was necessary, alternatives to payment that were considered and the diligence, or research, it conducted to find these alternatives. Furthermore, the Covered Entity must describe the diligence it performed to ensure compliance with all applicable rules and regulations including those of the Office of Foreign Assets Control. 500.17(c). To notify DFS of an extortion payment, please go to the DFS Portal and follow the Instructions on How to Report an Extortion Payment (PDF).
Submission Confirmation
After each submission is complete, the submitter will receive an email that includes a receipt number. The email receipt is the only confirmation of the submission that the submitter will receive. The receipt number is an important piece of information that should be kept by the Covered Entity. Covered Entities may need their receipt numbers to update DFS regarding a reported Cybersecurity Incident.
Supervision and Examinations
To safeguard financial services organizations and the confidential information of New Yorkers, DFS uses a multi-pronged approach to monitor cyber risk. The cyber supervision program supplements traditional examinations with new types of information-gathering and analysis activities intended to create a holistic view of the cybersecurity risk posture of the thousands of New York financial services firms regulated by DFS.
DFS’s approach was a first among regulators when it was launched as a pilot in December 2021 and has three key components:
Regulatory Examinations and Data Analysis
DFS will continue to conduct regular examinations that include a focus on cybersecurity/IT risk and compliance. It will also assess Covered Entities for cybersecurity risk based on their previous examination reports, annual cybersecurity regulation compliance filings, reported incidents, and other regulatory filings.
Cyber Controls Assessment Questionnaires
DFS will periodically ask Covered Entities to complete assessment questionnaires, such as the Cybersecurity and Information Technology Baseline Risk Questionnaire. Such questionnaires will be independent of the examination process and are based on similar assessments used by industry and insurers to assess risk for financial services companies.
External Data Scans and Analysis
To better and faster assess cyber risk facing Covered Entities, DFS uses various sources of information to develop an “outside-in” view of cyber risk of specific regulated entities as well as New York State’s financial services sector overall. Such information may come from information-sharing arrangements with public sector partners and industry organizations. DFS also conducts data gathering and analysis through its dedicated Cyber Intelligence Unit which draws on a mix of sources including DFS data, publicly available information, and commercial scanning and threat analysis capabilities.
Producers, Individual Licensees, and Small Businesses
This part of the Cybersecurity Resource Center has been developed specifically for DFS-regulated individuals and small businesses. It is intended to provide clear, step-by-step instructions for complying with the Cybersecurity Regulation.
Step 1. Determine whether you need to comply with the Cybersecurity Regulation.
If you have a license issued by DFS or are otherwise regulated by DFS, you must comply with the Cybersecurity Regulation. That is because the Cybersecurity Regulation applies to all individuals and small businesses that are “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under the Banking, Insurance or Financial Services Laws. Section 500.1(e).
Step 2. Determine whether you qualify for any of the exemptions listed in the Cybersecurity Regulation.
Many individual brokers, agents, and adjusters, as well as some small businesses, qualify for an exemption. The exemptions are listed in Section 500.19 and fall into two categories: full and limited.
Exemptions available to DFS-regulated individuals and small businesses
Full Exemptions
Three subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).
To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative or designee of another DFS-regulated business and all aspects of the Covered Entity’s business must be fully covered by the Cybersecurity Program of the other DFS-regulated business (referred to as the Covering Entity). Individuals who only work for one company and do not work on any other outside matters typically qualify for this exemption.
To qualify for a 500.19(e) exemption, a Covered Entity must be an inactive individual insurance broker (subject to Insurance Law section 2104) who (1) does not maintain, control or use, even indirectly, any Information Systems and does not have any Nonpublic Information; (2) has not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year; and (3) does not otherwise qualify as a Covered Entity (for example, does not hold another type of license). For exact language, see 500.19(e).
To qualify for a 500.19(g) exemption, a Covered Entity must not otherwise qualify as a Covered Entity by virtue of another license and must be (1) a charitable annuity society, (2) a risk retention group not chartered in NY, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) an individual mortgage loan originator placed in inactive status under Banking Law §599-i, or (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. For exact language, see 500.19(g).
Whether you qualify for one of these exemptions depends on your specific circumstances. DFS cannot make that determination for you.
Limited Exemptions
If you don’t qualify for any of the full exemptions, you may qualify for a limited exemption, which means that, if you qualify, you must submit a Notice of Exemption through the DFS Portal, comply with certain sections of the Cybersecurity Regulation (which we will discuss in Step 4), and submit an annual Certification of Material Compliance or Acknowledgment of Noncompliance.
The following are the most common exemptions for small businesses and individuals: Sections 500.19(a)(1), 500.19(a)(2), and 500.19(a)(3).
To qualify under Section 500.19(a)(1), a business, along with any Affiliates, must have fewer than 20 employees and independent contractors.
To qualify under Section 500.19(a)(2), an individual or business must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from all of its business operations combined with its Affiliates’ business operations in New York State.
To qualify under Section 500.19(a)(3), an individual or business must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.
Affiliate, for purposes of the Cybersecurity Regulation and determining whether any of the 500.19(a) exemptions apply, is defined very broadly as “any person that controls, is controlled by or is under common control with another person.” Control here “means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.”
Individuals and small businesses may also qualify for the limited exemption set forth in Section 500.19(c) if they (1) do not operate, maintain, use, or control a computer or other device that holds electronic data, including phones; and (2) do not, and are not required to, control, own, access, generate, receive, or possess confidential customer and other sensitive business and private information.
You may qualify for more than one of the limited exemptions listed above. If you do, you should indicate that when you submit your Notice of Exemption.
Whether you qualify for an exemption depends on your specific circumstances. DFS cannot make that determination for you.
If you do NOT qualify for an exemption, you must comply with all sections of the Cybersecurity Regulation and can skip Steps 3 and 4.
Step 3. If you qualify for one or more limited exemptions or the 500.19(b) or 500.19(e) full exemptions, submit a Notice of Exemption.
To receive the benefits of qualifying for an exemption, you must submit a Notice of Exemption through the DFS Portal (see instructions on setting up a DFS Portal account.) Please note that if you qualify for a full exemption pursuant to Section 500.19(b), you will need to provide the name of the Covering Entity (the DFS-regulated entity whose cybersecurity program covers all aspects of your work) when submitting your Notice of Exemption. If your business qualifies for the Section 19(b) exemption because it is a wholly owned subsidiary of another DFS-regulated entity, you will need to provide the name of your DFS-regulated parent company whose cybersecurity program covers all aspects of your business’s work. You or your business cannot claim yourself or itself as the Covering Entity or parent company.
Notices of Exemption are good until they are terminated which means you do not need to submit a Notice each year; however, if you qualify for a full exemption pursuant to Sections 500.19(b), (e), or (g), you should review your status every year to determine whether you still qualify for the exemption. If you qualify for a limited exemption pursuant to Sections 500.19(a), (c), or (d), you will be asked whether you still qualify for an exemption when you submit your annual Certification of Material Compliance or Acknowledgment of Noncompliance.
If your qualifications for an exemption have changed (for example, when you stop working for the DFS-regulated company or stop using their cybersecurity program), you are responsible for making sure your exemption is amended or terminated. If your company submitted a Notice of Exemption on your behalf, the company may terminate your exemption, but it is your responsibility to make sure that is done.
- Instructions on How to File a Notice of Exemption (PDF)
- Instructions on How to Amend Previously Filed Notices of Exemptions (PDF)
- Instructions on How to Terminate Previously Filed Notices of Exemption (PDF)
If you qualify for a full exemption and have submitted your Notice of Exemption, you do not need to proceed past this step. However, if you only qualify for one or more limited exemptions pursuant to Section 500.19(a), (c) or (d), you must submit a Notice of Exemption AND proceed to Step 4.
Step 4. If you qualify for one of the limited exemptions, determine which sections of the Cybersecurity Regulation you must comply with.
If you qualify for a Section 500.19(a)(1), (2), or (3) exemption, you are still required to: maintain a cybersecurity program as required in Section 500.2 and cybersecurity policies as required in Section 500.3; limit access privileges as required in Section 500.7; conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to DFS as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.
Additionally, starting in November 2024, you will also be required to comply with the MFA requirements in Section 500.12 and provide cybersecurity awareness training pursuant to Section 500.14(a)(3).
If you qualify for a Section 500.19(c) or (d) exemption, you are still required to: conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to the Superintendent as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.
Importantly, if you qualify for a limited exemption, you still must submit a Certification of Material Compliance or an Acknowledgment of Noncompliance by April 15 every year pursuant to Section 500.17. However, you only need to certify that you are materially complying with the sections of the Cybersecurity Regulation that are applicable to you or acknowledge your noncompliance with those sections.
Step 5. Take action to comply with the sections of the Cybersecurity Regulation applicable to you.
Once you determine which sections of the Cybersecurity Regulation apply to you (see Step 4), take action to comply. You can use the short descriptions below to prepare a list of the sections that apply to you along with any needed actions.
Section 500.2 – Maintain a cybersecurity program. This section requires you to have a cybersecurity program that enables you or your company to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.
Section 500.3 – Maintain cybersecurity policies. This section requires you to establish and maintain written cybersecurity policies that essentially comprise the framework for your cybersecurity program. These policies should be created after an assessment of your cybersecurity risks. Those risks include how much data you hold, the types of data you hold, the number of people who can access that data, and other similar factors. DFS partnered with the Global Cyber Alliance (GCA) to develop a set of cybersecurity policy templates which can provide a helpful starting point for individuals and small businesses.
You only need to establish and maintain policies that are relevant to your business, but you must consider whether you need policies that cover the following topics and controls, all of which are listed in Section 500.3:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Customer data privacy
- Vendor and third-party provider management
- Risk assessment
- Incident response
As of April 29, 2024, you will also be required to consider whether you need policies that cover the following areas:
- Data retention
- End of life management
- Remote access
- Security awareness and training
- Application security
- Incident notification
- Vulnerability management
Your policies need to be approved by your senior leadership, such as a senior officer or manager or an appropriate committee of your board (if one exists).
Section 500.7 – Control who can access your computer system and nonpublic information. This section requires you to know who has access to the confidential customer and business information held by your business AND to limit that access to people who need it for their job. This section also requires you to periodically review who has and needs such access.
As of May 1, 2025, you must also impose limits with respect to privileged accounts, only allow secure connections where devices can be remotely controlled, promptly terminate access when employees leave, and have a written password policy that meets industry standards, among other things.
Section 500.9 – Conduct risk assessments. You must base your cybersecurity program on the identification, evaluation, and prioritization of cybersecurity risks to your business operations, including but not limited to risks to your Information Systems, the Nonpublic Information maintained on those systems, and your customers. You must conduct periodic risk assessments in accordance with written policies and procedures which have to include: the criteria you will use to evaluate and categorize identified cybersecurity risks and threats; the criteria you will use to assess the confidentiality, integrity, security, and availability of your Information Systems and the Nonpublic Information maintained on them; and requirements that describe how identified risks will be controlled, minimized, or accepted and how your cybersecurity program will address those risks. These assessments must be reviewed and updated at least annually and when any changes to your business or technology materially impacts your cyber risk.
Section 500.11 – Maintain a policy regarding the use of third-party service providers. You must have written policies and procedures designed to ensure the security of the confidential customer and sensitive business information that is accessible to, or held by, third parties. A third party, for purposes of the Cybersecurity Regulation, is an individual or organization that provides services to you, has access to your confidential customer and other sensitive business information, and is not affiliated with you or your company. Law firms, internet hosting companies, and electronic storage providers are examples of third-party service providers.
Section 500.13 – Limit the data you keep. You must not keep confidential customer and sensitive business information any longer than it is needed for business purposes. A legitimate business purpose includes anything you are required to retain by law or regulation.
As of November 1, 2025, you will also need to have policies in place to implement and maintain an up-to-date asset inventory covering your information systems.
Section 500.17 – The following are required notifications to DFS:
- Annual Compliance Submissions – Submit either a Certification of Material Compliance or an Acknowledgment of Noncompliance each year by April 15th regarding your compliance during the previous calendar year.
- If you were materially compliant with all sections of the Cybersecurity Regulation that applied to you during the previous calendar year, submit a Certification of Material Compliance.
- If you cannot certify that you were in material compliance with the sections of the Cybersecurity Regulation that were applicable to you during the prior calendar year, you must submit an Acknowledgment of Noncompliance which (1) acknowledges that you did not materially comply with all the requirements applicable to you; (2) identifies all sections of the Cybersecurity Regulation that you have not materially complied with; (3) describes the nature and extent of the noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed.
- Cybersecurity Incident Notifications – Notify DFS within 72 hours after you determine that you experienced a Cybersecurity Incident, which includes acts or attempts to gain unauthorized access to, disrupt, or misuse your Information Systems or the Nonpublic Information stored on those Information Systems that:
- impacted you and required you to notify another government body, self-regulatory agency or any other supervisory body;
- has a reasonable likelihood of materially harming any material part of your normal operations; or
- resulted in the deployment of ransomware within a material part of your Information Systems.
- Extortion Payment Notifications – If you make an extortion payment in connection with a Cybersecurity Event that occurred on your Information Systems, you must notify DFS within 24 hours of payment. Within 30 days of payment, you must provide the reasons payment was necessary, alternatives to payment that were considered and the diligence, or research, you conducted to find these alternatives. You must also describe the diligence you performed to ensure compliance with all applicable rules and regulations including those of the Office of Foreign Assets Control.
If you qualify for a Section 500.19(a) limited exemption, as of November 1, 2024, you will also need to comply with two other Sections of the Cybersecurity Regulation: Section 500.12 and Section 500.14(a)(3).
Section 500.12 – Use multi-factor authentication (“MFA”) for any remote access you allow into your information systems, or to third-party applications where Nonpublic Information is accessible (including any cloud applications), or to privileged accounts. If – and only if – you have a CISO, you may be able to use reasonably equivalent or more secure compensating controls as long as the CISO approves and reviews the controls to ensure their reasonable equivalence at least annually.
Section 500.14(a)(3) – Provide cybersecurity awareness training that includes social engineering for all personnel at least annually.
If you do not qualify for any exemption, then you must comply with all sections of the Cybersecurity Regulation. The above list does NOT include a discussion of all of the sections that are applicable to you if you don’t qualify for an exemption.
Step 6. If you are complying with all of the sections of the Cybersecurity Regulation applicable to you, submit a Certification of Material Compliance annually by April 15. If not, submit an Acknowledgment of Noncompliance by April 15.
If you qualify for an exemption and are in material compliance with the sections of the Cybersecurity Regulation that are applicable to you, submit a Certification of Material Compliance by April 15 of each year through the DFS Portal. Directions for submitting a Certification of Material Compliance can be found on the DFS website.
If you cannot certify that you were in material compliance with the Cybersecurity Regulation for the prior calendar year, you must submit a written Acknowledgment of Noncompliance which (1) acknowledges that you did not materially comply with all the requirements applicable to you; (2) identifies all sections of Part 500 that you have not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. See Section 500.17(b).
If you do not qualify for an exemption, submit a Certification of Material Compliance or an Acknowledgment of Noncompliance by April 15 of each year through the DFS Portal.
Answers to Questions Frequently Asked by Individuals and Small Businesses
Questions regarding DFS Portal submissions (Section 500.17)
1. What should I do if I am having trouble logging in to the DFS Portal or resetting my password?
If you are having trouble logging in to the DFS Portal or resetting your password, email [email protected] with “Trouble Logging into the Portal” or “Password Reset” in the subject line. If you haven’t received a response within 10 business days from the date you sent your message, DFS may not have received it. In this event, please resend your email.
If you did not receive an email from DFS after making a submission, you may email [email protected] with “Confirm My Submission” in the subject line. We will need your name or your company’s name (as it appears on the DFS license) and one of the following for you or your company: NYS License number, NAIC number, NMLS Identification number, or Institution number.
Questions regarding filing annual notifications regarding compliance (Certifications of Material Compliance and Acknowledgements of Noncompliance) (Section 500.17(b))
All Covered Entities, including non-residents, are required to submit notifications of their compliance unless they qualify for a full exemption pursuant to Section 500.19(b), (e), or (f) and have filed a Notice of Exemption.
4. If I am licensed by DFS but not currently working in the field, do I need to submit an annual notification regarding my compliance?
The following inactive licensees who do not otherwise qualify as a Covered Entity (for example, who do not hold another type of license) are exempt from the annual requirement to notify DFS regarding their compliance:
- inactive individual insurance brokers (subject to Insurance Law section 2104) who (a) do not maintain, control or use, even indirectly, any Information Systems and do not have any Nonpublic Information, and (b) have not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year;
- individual insurance agents placed in inactive status under Insurance Law §2103; and
- individual mortgage loan originators placed in inactive status under Banking Law §599-i.
If none of the above apply to your situation, then as long as you are licensed by DFS, you need to comply with the Cybersecurity Regulation. However, you may qualify for the limited exemption pursuant to Section 500.19(c) which applies to any regulated entity or licensed Person that does not maintain any Information Systems and does not possess any Nonpublic Information, including information concerning former or potential customers. Even if you do qualify, Section 500.19(c) is a limited exemption that still requires compliance with certain provisions of the regulation (see table below), including the requirement to submit an annual Certification of Material Compliance or an Acknowledgment of Noncompliance.
The annual notification of compliance that is required by Section 500.17(b) must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity. If you are an individual, you should sign as the highest-ranking executive and if you don’t have a CISO – even a virtual one or one at a managed service provider – you should sign as the senior officer responsible for your cybersecurity program.
You do not need to send supporting documentation if you are submitting a Certification of Material Compliance. If you are submitting an Acknowledgment of Noncompliance, you must identify all sections of the Cybersecurity Regulation you did not materially comply with, describe the nature and extent of such noncompliance, and provide a remediation timeline or confirmation that remediation has been completed. No additional explanatory or other materials are required as part of these submissions.
The Cybersecurity Regulation does require, however, that Covered Entities maintain records, schedules, and data that support their annual notification – whether a certification or an acknowledgment -- for 5 years and provide such information to the Department upon request. The information you must keep includes, but is not limited to, the identification of all areas, systems, and processes that require or required material improvement, updating or redesign, remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.
Questions About Limited Exemptions (500.19(a), (c), and (d))
It depends on the exemption for which you qualify. If you qualify for a full exemption pursuant to Section 500.19(b), (e), or (g), and submitted a Notice of Exemption, you do not need to submit an annual notification regarding your compliance. If, however, you qualify for a limited exemption and filed a Notice of Exemption pursuant to Sections 500.19(a), (c) or (d), you do need to submit an annual notification regarding your compliance with the sections of the Cybersecurity Regulation applicable to you based on the exemption for which you qualify. For example, if you qualify for a Section 500.19(a) exemption, you must file an annual notification regarding your compliance only with Sections 500.2, 500.3, 500.7, 500.9, 500.11, and 500.17.
Under Section 500.19(a)(1), which is also referred to as the Small Business Exemption, smaller Covered Entities are exempted from certain requirements of Part 500 when a Covered Entity and all of its Affiliates combined have a total of fewer than 20 employees and independent contractors. When determining whether a Covered Entity and its Affiliates have fewer than 20 employees and independent contractors, all of the Covered Entity’s employees and independent contractors and all of the Covered Entity’s Affiliates’ employees and independent contractors must be counted regardless of where any of the employees and independent contractors are located.
Note that Affiliate is defined very broadly in Section 500.1 as any individual or entity, including but not limited to any partnership, corporation, branch, agency or association, that controls, is controlled by, or is under common control with any other individual or entity, including but not limited to any partnership, corporation, branch, agency or association. For purposes of this definition, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.
Questions about full exemptions (Section 500.19(b))
You are entitled to a Section 500.19(b) exemption in this case only if you are an employee, agent, representative, or designee that is fully covered by the cybersecurity program of one of the Covered Entities for which you are an employee, agent, representative or designee. In other words, if you are an employee, agent, representative or designee of more than one other Covered Entity, you will only qualify for a Section 500.19(b) exemption if the cybersecurity program of at least one of those Covered Entities fully covers all aspects of your business.
When submitting the notice for a Section 19(b) exemption, you must provide the name of the Covered Entity whose cybersecurity program your business is covered by, along with the name of an individual at that Covered Entity who can verify the coverage.
If you work for a company that has 50 or more employees who qualify for an exemption, and your company has submitted a Notice of Exemption on your behalf through the bulk filing process, you must ask your employer to terminate your exemption when you stop working for that company. If you cannot confirm that they have done so, you may terminate your exemption. See the Instructions on How to Terminate Previously Filed Notices of Exemption to learn how to do so.
Yes. If there are any changes, you should amend your Notice of Exemption by going to the DFS Portal where there is an option to choose “amend exemption.”
DISCLAIMER: This part is explanatory and provided for informational purposes only. In the event of an inconsistency between this part and the Cybersecurity Regulation, the Cybersecurity Regulation will prevail.
Tools for Small Businesses
As doing business online becomes indispensable, it is essential that small businesses protect themselves and their customers from cybercrime. However, cybersecurity can be especially challenging for small businesses.
The Department is committed to supporting small businesses in this regard. To help improve their cybersecurity, DFS has partnered with the Global Cyber Alliance (GCA) to highlight the availability of free cybersecurity resources. GCA has created a Cybersecurity Toolkit for Small Business that contains a set of free tools, guidance, resources, and training for small businesses. It is targeted to small businesses that do not have a dedicated cybersecurity staff.
Because governance is critical to effective cybersecurity, DFS also partnered with GCA to develop sample cybersecurity policies. These policies are designed to help small businesses install the governance and procedures necessary for effective cybersecurity. The sample policies provide a helpful starting point for all small businesses.
The sample policies include:
- Cybersecurity Policy
- Access Control Policy
- Asset Inventory & Device Management Policy
- Data Classification Policy
- Physical & Environmental Security Policy
- Risk Assessment Policy
- System & Network Security Policy
- Third Party Service Provider Policy
All cybersecurity policies created by a business should be tailored to the business’s specific needs, risks, resources, and structure. Some businesses may require additional actions beyond those suggested in the sample policies; likewise, not every action suggested will be required for every business. Policies based only on the samples therefore may not constitute full compliance with state and federal laws and regulations, including the Cybersecurity Regulation. Best practices can also change over time.
Businesses should review their policies for accuracy, completeness, and applicability, and update them as needed based on their risk assessments.
More guidance for small businesses can be found in our Information for Small Businesses section.
Other small business resources:
Archived Materials
Materials in this section were on our Resource Center previously. Given the evolving cybersecurity landscape, they have been replaced with materials set forth in the other sections of this Resource Center. Everything currently required of Covered Entities can be found in the sections above and the materials in the other sections supersede any conflicting material found below.
- May 24, 2022: Spotlight on Small Business: DFS and the Global Cyber Alliance Share Achievable Cybersecurity Controls for Smaller Organizations
- April 26, 2022: The Human Factor: Leadership, Governance, and Diversity in Cybersecurity
- March 29, 2022: The Unrelenting Cybersecurity Battle: 5 Years of Evolving Threats and Control
- December 10, 2014: Letter Regarding New Cyber Security Examination Process