hands on a keyboard protected by a lock image

Cybersecurity Resource Center

Cybersecurity Resource Center
SHARE

Proposed Second Amendment to 23 NYCRR Part 500

The proposed Second Amendment to DFS Cybersecurity Regulation, 23 NYCRR Part 500, was published in the New York State Register on November 9, 2022.  Comments were due on January 9, 2023, and we are in the process of reviewing them.

More information about this proposed amendment is available on our Proposed Financial Services Regulations page. 

Questions regarding the material presented here should be sent to [email protected].

 

Email Updates
To sign up for updates on important regulatory guidance and information related to cybersecurity for New York financial services companies, or to access your existing subscriber preferences, please enter your contact information below.

Introduction

Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies (referred to below as “the Cybersecurity Regulation” or “Part 500”).

The individuals and entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law (referred to below as “Covered Entities”).

This Resource Center is designed to help Covered Entities understand how to comply with the Cybersecurity Regulation. Among other things, it provides links to industry guidance, answers frequently asked questions (FAQs), and explains how and when to submit cybersecurity-related filings to DFS, including the requisite Certifications of Compliance and notifications of Cybersecurity Events.

To sign up for updates on important regulatory guidance and information related to cybersecurity for New York financial services companies, or to access your existing subscriber preferences, please go to the DFS Email Updates Signup Page.

Industry Guidance

Recent Updates (past 6 months)

Subject Release Date

Consent Order to bitFlyer USA, Inc.

2023-05-02

Consent Order to BitPay, Inc.

2023-03-16

Consent Order to Coinbase, Inc. (related press release)

2023-01-04

Industry Letters

Subject Release Date

Guidance on the Escalating Situation in Ukraine and Impact to the Financial Sector

2022-02-25

Guidance on Multi-Factor Authentication

2021-12-07

Guidance Regarding the Adoption of an Affiliate’s Cybersecurity Program

2021-10-22

Guidance on Ransomware Prevention (related press release)

2021-06-30

Cyber Insurance Risk Framework (related press release)

2021-02-04

Guidance Regarding Cybersecurity Awareness During COVID-19 Pandemic

2020-04-13

Letter Recommending FS-ISAC Participation for all NYS-Chartered Depository Institutions (PDF)

2014-02-06

Alerts

Subject Release Date

Log4j Vulnerability

2021-12-17

Alert Regarding Pulse Connect Secure Critical Vulnerability

2021-04-26

Cyber Fraud Alert Follow-Up: New York Insurance Identification (ID) Card Barcode Vulnerability

2021-04-19

Cyber Fraud Alert Regarding Prefilled Nonpublic Information

2021-03-30

Cyber Fraud Alert Regarding the Exploitation of Four Vulnerabilities in Microsoft Exchange Server

2021-03-09

Cyber Fraud Alert Regarding Instant Quote Websites (related press release)

2021-02-16

Cyber Alert Regarding the SolarWinds Supply Chain Compromise

2020-12-18

Cybersecurity-Related Reports and Publications

Subject Release Date

Report on the SolarWinds Cyber Espionage Attack and Institutions’ Response (related press release)

April 2021

Twitter Investigation Report (related press release)

October 2020

Update on Cybersecurity in the Banking Sector: Third Party Service Providers

April 2015

Report on Cybersecurity in the Insurance Sector

February 2015

Report on Cybersecurity in the Banking Sector

May 2014

Cybersecurity-Related Settlements

Subject Release Date

Consent Order to bitFlyer USA, Inc.

2023-05-02

Consent Order to BitPay, Inc.

2023-03-16

Consent Order to Coinbase, Inc. (related press release)

2023-01-04

Consent Order to EyeMed Vision Care LLC (related press release)

2022-10-18

Consent Order to Robinhood Crypto, LLC (related press release)

2022-08-02

Consent Order to Carnival Corporation d/b/a Carnival Cruise Line; Princess Cruise Lines, Ltd; Holland America Line NV; Seabourn Cruise Line, Ltd; and Costa Cruise Lines, Inc. (related press release)

2022-06-24

Consent Order to First Unum Life Insurance Company and The Paul Revere Life Insurance Company (related press release)

2021-05-13

Consent Order to National Securities Corporation (related press release)

2021-04-12

Consent Order to Residential Mortgage Services, Inc. (related press release)

2021-03-03

See all DFS Enforcement Actions

Cybersecurity FAQs

Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. The following provides answers to frequently asked questions concerning 23 NYCRR Part 500. Terms used below have the meanings assigned to them in 23 NYCRR 500.01. Please note that the Department may revise or update the below information from time to time, as appropriate.

500.1 Definitions

(c) Covered Entities

1. Are Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities under 23 NYCRR 500? (formerly FAQ 12)
+

Yes. Both HMOs and CCRCs are Covered Entities. Pursuant to the Public Health Law, HMOs must receive authorization and prior approval of the forms they use and the rates they charge for comprehensive health insurance in New York. The Public Health Law subjects HMOs to DFS authority by making provisions of the Insurance Law applicable to them. CCRCs are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by DFS. The Public Health Law also subjects HMOs and CCRCs to the examination authority of the Department. As this authorization is fundamental to the ability to conduct their businesses, HMOs and CCRCs are Covered Entities because they are "operating under or required to operate under" DFS authorizations pursuant to the Insurance Law. Moreover, since these entities have sensitive, private data, their compliance with cybersecurity protection is necessary.

2. Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500? (formerly FAQ 9)
+

Under N.Y. Banking Law § 590(2)(b-1), an exempt entity will need to prove its "exempt organization" status. Since the notification is not an authorization from the Department, an Exempt Mortgage Servicer, under N.Y. Banking Law § 590(2)(b-1), will not fit the definition of a Covered Entity under 500.1(c). However, Exempt Mortgage Loan Servicers that also hold a license, registration, or received approval under the provisions of Part 418.2(e) are required to prove exemption and comply with regulation. With respect to the DFS cybersecurity regulation, given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

3. Are Not-for-profit Mortgage Brokers Covered Entities under 23 NYCRR 500? (formerly FAQ 10)
+

Yes. Not-for-profit Mortgage Brokers are Covered Entities. 3 NYCRR Part 39.4(e) provides that Mortgage Brokers "which seek exemption may submit a letter application" to the Mortgage Banking unit of the Department at the address set forth in section 1.1 of Supervisory Policy G 1, "together with such information as may be prescribed by" the Superintendent. As this authorization is necessary for a Not-for-profit Mortgage Broker, it is a Covered Entity under 23 NYCRR 500.

4. Can the same entity be a Covered Entity, an Authorized User, and a Third Party Service Provider? (formerly FAQ 4)
+

Yes. Depending on the facts and circumstances, the same entity can be a Covered Entity, an Authorized User, and a Third Party Service Provider. This is common in the case of independent insurance agents. For example, a DFS-licensed independent agent that works with multiple insurance companies is a Covered Entity with its own obligation to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of its Information Systems and Nonpublic Information. See 23 NYCRR 500.2.

In addition, when the independent agent holds or has access to any Nonpublic Information or Information Systems maintained by an insurance company with which it works (for example, for quotations, issuing a policy or any other data or system access), the independent agent will be a Third Party Service Provider with respect to that insurance company; and the insurance company, as a Covered Entity, will be required under 23 NYCRR 500.11 to have written policies and procedures to ensure the security of its Information Systems and Nonpublic Information that are accessible to, or held by, the independent agent (including but not limited to risk based policies and procedures for minimum cybersecurity practices, due diligence processes, periodic assessment, access controls, and encryption).

Further, an independent agent will also be an Authorized User if it participates in the business operations, and is authorized to use any Information Systems and data, of an insurance company that is a Covered Entity. In such a case, the insurance company must implement risk-based policies, procedures and controls to monitor the activities of the independent agent, as more fully described in 23 NYCRR 500.14.

It is also noted that, like any other Covered Entity, an insurance company may also be a Third Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent.

In all events, each Covered Entity is responsible for thoroughly evaluating its relationships with other entities in order to ensure that it is fully complying with all applicable provisions of 23 NYCRR Part 500.

5. Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500? (formerly FAQ 30)
+

Yes, they are considered Covered entities and, as such, must comply with Part 500. It is further noted that, in such cases, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of 23 NYCRR Part 500, whether through the branch's, agency's, or representative office's development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.

500.2 Cybersecurity Program

6. May a Covered Entity adopt portions of an Affiliate's cybersecurity program without adopting all of it? (formerly FAQ 27)
+

A Covered Entity may adopt an Affiliate's cybersecurity program in whole or in part as provided for in Part 500.2(c), as long as the Covered Entity's overall cybersecurity program meets all requirements of 23 NYCRR Part 500. The Covered Entity remains responsible for full compliance with the requirements of 23 NYCRR Part 500. To the extent a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department.

500.4 Chief Information Security Officer

7. To the extent a Covered Entity uses an employee of an Affiliate as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR 500.4(a)(2)-(3)? (formerly FAQ 29)
+
To the extent a Covered Entity utilizes an employee of an Affiliate to serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.4(a), the Affiliate is not considered a Third Party Service Provider for purposes of 23 NYCRR 500.4(a)(2)-(3). However, the Covered Entity retains full responsibility for compliance with the requirements of 23 NYCRR Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part.
8. Under Section 500.4(b), can the requirement that the CISO report in writing at least annually "to the Covered Entity's board of directors" (the "board") be met by reporting to an authorized subcommittee of the board? (formerly FAQ 19)
+
No. The Department emphasizes that a well-informed board is a crucial part of an effective cybersecurity program and the CISO's reporting to the full board is important to enable the board to assess the Covered Entity's governance, funding, structure, and effectiveness as well as compliance with 23 NYCRR Part 500 or other applicable laws or regulations.

500.5 Penetration Testing and Vulnerability Assessments

9. What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.5? (formerly FAQ 34)
+

Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of 23 NYCRR 500.5.

500.9 Risk Assessment

10. Should Covered Entities use a cyber assessment framework as part of their risk assessment process? (formerly FAQ 41)
+

The risk assessments required by Sections 500.9 & 500.2(b) are the foundation of the comprehensive cybersecurity program required by DFS’s Cybersecurity Regulation, and a cyber assessment framework is a useful component of a comprehensive risk assessment. DFS does not require a specific standard or framework for use in the risk assessment process. Rather, we expect Covered Entities to implement a framework and methodology that best suits their risk and operations. Among the widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.

11. Do Covered Entities have any obligations when acquiring or merging with a new company? (formerly FAQ 11)
+
Yes. Section 500.9(a) states that the "Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity's Information Systems, Nonpublic Information or business operations." Furthermore, Section 500.8(b) states that the institution's application security "procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity." As such, when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of Personally Identifiable Information, the safety and soundness of the Covered Entity, and the integration of data systems. The Department emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.
12. How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other affiliates? (formerly FAQ 23)
+

When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies (see 23 NYCRR Sections 500.9, 500.2 and 500.3, respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances.

13. How must a Covered Entity address cybersecurity issues with respect to a Bank Holding Company (“BHC”)? (formerly FAQ 6)
+
Under 23 NYCRR Part 500, the Covered Entity is responsible for compliance with respect to its Information Systems. Therefore, it must evaluate and address any risks that a BHC (or other affiliate of the Covered Entity) presents to the Covered Entity’s Information Systems and/or Nonpublic Information. For example, if a Covered Entity shares its data and systems with a BHC, the Covered Entity must ensure that such shared data and systems are protected. Specifically, the Covered Entity must evaluate and address in its Risk Assessment, cybersecurity program and cybersecurity policies the risks that the BHC poses with respect to such shared Information Systems and/or Nonpublic Information. In the same manner, a Covered Entity must also evaluate and address other cybersecurity risks that a BHC may pose to it. A Covered Entity will ultimately be held responsible for protecting its Information Systems and Nonpublic Information that are shared with a BHC or that otherwise may be subjected to risk by a BHC. Other regulatory requirements may also apply, depending on the individual facts and circumstances.

500.11 Third Party Service Provider Security Policy

14. If Covered Entity A utilizes Covered Entity B (not related to Covered Entity A) as a Third Party Service Provider, and Covered Entity B provides Covered Entity A with evidence of its Certification of Compliance with NYSDFS Cybersecurity Regulations, could that be considered adequate due diligence under the due diligence process required by Section 500.11(a)(3)? (formerly FAQ 14)
+

No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third Party Service Provider poses to their data and systems and effectively address those risks.

15. Are all Third Party Service Providers required to implement Multi-Factor Authentication and encryption when dealing with a Covered Entity? (formerly FAQ 38)
+
It depends.  23 NYCRR 500.11, among other things, generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity's Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. 23 NYCRR 500.11(b) requires a Covered Entity to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, 23 NYCRR 500.11(b) requires Covered Entities to make a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.
16. Can an entity be both a Covered Entity and a Third Party Service Provider under 23 NYCRR Part 500? (formerly FAQ 37)
+
Yes. If an entity is both a Covered Entity and a Third Party Service Provider, the entity is responsible for meeting the requirements of 23 NYCRR Part 500 as a Covered Entity.
17. How must a Covered Entity address cybersecurity issues with respect to Utilization Review (“UR”) agents? (formerly FAQ 3)
+

When a Covered Entity is using an independent UR agent, that Covered Entity should be treating them as Third Party Service Providers (“TPSP”). Since UR agents will be receiving Nonpublic Information from that Covered Entity, that Covered Entity must assess the risks each TPSP poses to their data and systems and effectively address those risks. The Covered Entity will ultimately be responsible in ensuring that their data and systems are protected.

500.12 Multi-Factor Authentication

18. Are cloud-based email, document hosting, and related services part of a Covered Entity’s internal networks which would require the use of Multi-Factor Authentication (“MFA”) pursuant to 23 NYCRR § 500.12(b)? (formerly FAQ 40)
+

Yes. Under Section 500.12(b), MFA is required when accessing internal networks from an external network unless the Covered Entity’s Chief Information Security Officer has approved in writing the use of reasonably equivalent or more secure access controls. Internal networks include email, document hosting, and related services whether on-premises or in the cloud such as, for example, O365 and G-Suite. These services contain Nonpublic Information that Covered Entities are required to protect.

500.17 Notices to Superintendent

500.17(a): Cybersecurity Event

19. When is a Covered Entity required to report a Cybersecurity Event under 23 NYCRR 500.17(a)? (formerly FAQ 35)
+

23 NYCRR 500.17(a) requires Covered Entities to notify the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred. A Cybersecurity Event is reportable if it falls into at least one of the following categories: (1) the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful.

20. When is an unsuccessful attack a Cybersecurity Event that has or had “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” under the reporting requirements of 23 NYCRR Section 500.17(a)(2)? (formerly FAQ 21)
+

The Department recognizes that Covered Entities are regularly subject to many attempts to gain unauthorized access to, disrupt or misuse Information Systems and the information stored on them, and that many of these attempts are thwarted by the Covered Entities’ cybersecurity programs. The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.

The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cybersecurity programs, and Covered Entities are encouraged to continually develop their threat assessment programs. Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cybersecurity generally across the industries regulated by the Department. Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.

The Department recognizes that Covered Entities’ focus should be on preventing cybersecurity attacks and improving systems to protect the institution and its customers. The Department’s notice requirement is intended to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries. The Department trusts that Covered Entities will exercise appropriate judgment as to which unsuccessful attacks must be reported and does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.

21. Under 23 NYCRR 500.17(a), is a Covered Entity required to give notice to the Department when a Cybersecurity Event involves harm to consumers? (formerly FAQ 25)
+

Yes.  23 NYCRR 500.17(a) must be read in combination with other laws and regulations that apply to consumer privacy. Under 23 NYCRR 500.17(a)(1), a Covered Entity must give notice to the Department of any Cybersecurity Event “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” which includes many Cybersecurity Events that involve consumer harm, whether actual or potential. To offer just one example, New York’s information security breach and notification law requires notices to affected consumers and to certain government bodies following a data breach. Under 23 NYCRR 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to the Department.

In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” To the extent a Cybersecurity Event involves material consumer harm, it is covered by this provision.

22. When there is a Cybersecurity Event at a Third Party Service Provider that affects a Covered Entity, is that Covered Entity required to notify DFS even if the Third Party Service Provider notifies DFS on the Covered Entity’s behalf? (formerly FAQ 39)
+

Yes. Under 23 NYCRR Section 500.17(a), “[e]ach Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred.” Thus, if a Cybersecurity Event at a Third Party Service Provider affects a Covered Entity, then the Covered Entity itself must provide notice to DFS directly – regardless of whether the Third Party Service Provider is also a Covered Entity or offers to provide notice on the Covered Entity’s behalf. Reporting Cybersecurity Events to the Department is not only an important obligation of all Covered Entities, but also enables the Department to more rapidly identify techniques used by attackers so that DFS can alert industry, respond quickly to new threats, and continue to effectively protect consumers and the financial services industry.

23. Is a Covered Entity required to give notice to consumers affected by a Cybersecurity Event? (formerly FAQ 26)
+

New York’s information security breach and notification law (also known as the SHIELD ACT, General Business Law Section 899-aa), requires notice to consumers who have been affected by cybersecurity incidents. Further, under 23 NYCRR Part 500, a Covered Entity’s cybersecurity program and policy must address, to the extent applicable, consumer data privacy and other consumer protection issues. Additionally, Part 500 requires that Covered Entities address as part of their incident response plans external communications in the aftermath of a breach, which includes communication with affected customers. Thus, a Covered Entity’s cybersecurity program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of 23 NYCRR Part 500.

500.17(b): Certification of Compliance

24. If I am an individual with no Board of Directors, then who can file my Certification of Compliance? (formerly FAQ 8)
+

23 NYCRR 500.1 defines Senior Officer as "the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity…" A Covered Entity is defined as "any Person operating under or required to operate under a licenses, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance law or the Financial Services Law". Individuals filing a Certification of Compliance for their own individual license should file their Certification selecting the self option. When choosing self, you will be able to file for your own individual license and will be acting as a Senior Officer, as defined in the Regulation.

25. May the certification requirement of 23 NYCRR 500.17(b) be met by an Affiliate? (formerly FAQ 28)
+

No. Each Covered Entity is required to certify its own compliance with Part 500 annually.

26. Should a Covered Entity send supporting documentation along with the Certification of Compliance? (formerly FAQ 16)
+

Each Covered Entity is required to submit a Certification of Compliance to the Department and is not required to submit explanatory or additional materials with that certification. The certification is intended as a stand-alone document required by the regulation. The Cybersecurity Regulation does require Covered Entities to maintain records, schedules, and data that support the certification for 5 years, should the Department request such information in the future. Likewise, under 23 NYCRR Section 500.17, to the extent a Covered Entity has identified areas, systems, or processes that require material improvement, updating or redesign, the Covered Entity must document such efforts and maintain such schedules and documentation for inspection during the examination process or as otherwise requested by the Department.

27. May a Covered Entity submit a certification under 23 NYCRR 500.17(b) if it is not yet in compliance with all applicable requirements of Part 500? (formerly FAQ 33)
+

The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity was in compliance with all applicable requirements of Part 500 for the calendar year for which it is certifying.

500.19 Exemptions

28. When does the limited exemption in 23 NYCRR 500.19(a)(1), for Covered Entities with “fewer than 10 employees,” apply? (formerly FAQ 1)
+

Under 23 NYCRR 500.19(a)(1), a Covered Entity is exempted from certain enumerated requirements of Part 500 only when the Covered Entity and all of its Affiliates combined have a total of fewer than 10 employees (including independent contractors) who are “located in New York” or “responsible for business of the Covered Entity.” Thus, in determining whether there is a total of fewer than 10 employees, you must count all the following: (1) all the Covered Entity’s employees, regardless of location; (2) each Affiliate’s employees who are in New York; and (3) each Affiliate’s employees who are responsible for any aspect of the Covered Entity’s business, regardless of location. If an Affiliate’s employee provides any service to, or performs any task for, the Covered Entity, that employee must be counted, regardless of location. This includes, but is not limited to, any shared services provided by an Affiliate that are used by the Covered Entity.

29. If a Covered Entity qualifies for a limited exemption, does it need to comply with 23 NYCRR Part 500? (formerly FAQ 24)
+

All but one of the exemptions listed in 23 NYCRR Part 500.19 are limited in scope. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for these exempted entities. As such, Covered Entities that qualify for those exemptions are only exempt from complying with certain provisions as set forth in the regulation, but must comply with the sections listed in the exemption that applies to that Covered Entity.

30. If a Covered Entity has a limited exemption, what provisions of the regulation does it still need to comply with? (formerly FAQ 5)
+

Please see charts.

Exemption

Exempt From

Still Required

500.19 (a) (1) Fewer than 10 employees working in NYS

500.4- Chief Information Security Officer
500.5- Penetration Testing and Vulnerability
Assessments
500.6- Audit Trail
500.8- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.2- Cybersecurity Program
500.3- Cybersecurity Policy
500.7- Access Privileges
500.9- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (a) (2) Less than $5 million in gross annual revenue

500.19 (a) (3) Less than $10 million in year-end total assets

Exemption

Exempt From

Still Required

500.19 (c) Does not control any information systems and nonpublic information

500.2- Cybersecurity Program
500.3- Cybersecurity Policy
500.4- Chief Information Security Officer
500.5- Penetration Testing and Vulnerability
Assessments
500.6- Audit Trail
500.7- Access Privileges
500.8- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.09- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (d) Captive insurance companies that do not control nonpublic information other than information relating to its corporate parent company

 

31. Is a Covered Entity entitled to an exemption under Section 500.19(b) if that Covered Entity is an employee, agent, representative or designee of more than one other Covered Entity? (formerly FAQ 17)
+
Section 500.19(b) states that a Covered Entity who is an "employee, agent, representative or designee of a Covered Entity . . . is exempt from" 23 NYCRR Part 500 and "need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity" (emphasis added). This exemption requires an employee, agent, representative, or designee to be fully covered by the program of another Covered Entity. Therefore, a Covered Entity who is an employee, agent, representative or designee of more than one other Covered Entity will only qualify for a Section 500.19(b) exemption where the cybersecurity program of at least one of its parent Covered Entities fully covers all aspects of the employee's, agent's, representative's or designee's business.
32. Does a Covered Entity that qualifies for an exemption under 23 NYCRR Section 500.19(b) need to file a Notice of Exemption? (formerly FAQ 18)
+

Yes. 23 NYCRR 500.19 subsections (a) through (d) set forth certain limited exemptions from different requirements of Part 500. Pursuant to 23 NYCRR Section 500.19(e): "[a] Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption" (emphasis added).

33. Does a Covered Entity need to amend its Notice of Exemption in the event of changes after the initial submission (e.g., name changes or changes to the applicable exemption(s))? (formerly FAQ 15)
+

Yes.  If there are changes, the Covered Entity will be able to amend from their initial filing through the DFS Portal. When accessing the portal, Covered Entities will need to choose the “amend exemption” option and file an updated exemption by selecting the exemptions that they still qualify for. For example, if a Covered Entity originally submitted a Notice of Exemption stating that it qualified for exemptions under Sections 500.19(b) and 500.19(a)(1), but it now only qualifies for a Section 500.19(a)(1) exemption, then the Covered Entity must amend their Notice of Exemption with the correct information.

The Department also emphasizes that Notices of Exemption should be filed electronically via the DFS Portal. The Covered Entity should utilize the account that they used to file the original Notice of Exemption or create a new account if an individual filing was previously not made.
34. If a Covered Entity ceases to qualify for an exemption under Section 500.19, how should the Covered Entity notify the Department? (formerly FAQ 2)
+

If a Covered Entity ceases to qualify for a previously claimed exemption, the Covered Entity should, as soon as reasonably possible, notify the Department through the DFS Portal by terminating its previously filed exemption.  The Department will note that, under Section 500.19(g), if a Covered Entity, as of its most recent fiscal year end, ceases to qualify for an exemption, “such Covered Entity shall have 180 days from such fiscal year end to comply with all applicable requirements of” 23 NYCRR Part 500. Please note that the Department might require a Covered Entity to periodically refile their exemptions to ensure that all Covered Entities still qualify for the claimed exemption.

35. Can a Covered Entity file a Notice of Exemption on behalf of its employees or agents? (formally FAQ 20)
+

By permission, the Department will approve certain Covered Entities to file Notices of Exemption on behalf of their employees or captive agents who are also Covered Entities. This option will only be available for filings of 50 or more employees or captive agents and only if all employees or captive agents qualify for the same exemptions. Covered Entities with over 50 employees or agents on whose behalf they have authority to file should contact the Department at [email protected] from the email to which your DFS Portal account is associated with the following instructions. The Department will coordinate with the Covered Entity to submit a one-time filing form to effectuate an exemption filing for multiple covered entities. On the spreadsheet, the submitter will need to provide the first and last name, DFS identification number, type of license, and email for every employee or captive agent. After approval, the Department will send more detailed instructions and the exemption spreadsheet. In the event that there are any changes, the entity will be able to add and terminate exemptions through the portal. The Department emphasizes that the employee or captive agent, for whom the Covered Entity is filing, continues to be ultimately responsible for ensuring their compliance with 23 NYCRR Part 500. It remains the responsibility of the employee or captive agent to notify the Department of any changes in their status.

Exceptions/Deferrals to other regulators

36. Can a Common Trust Fund (“CTF”) that is administered by another Covered Entity rely on the cybersecurity program of that Covered Entity? (formerly FAQ 7)
+

A CTF that is administered by another Covered Entity can rely on the cybersecurity program of that Covered Entity, as long as that cybersecurity program conforms with 23 NYCRR Part 500 and fully protects the CTF. Under these circumstances, the Covered Entity must submit a Certification of Compliance with the Department. If the CTF is administered by a national bank, then the Department will defer to that bank’s primary regulator to ensure that the CTF has a proper cybersecurity program. Further, to protect markets, the Department strongly encourages all financial entities, including CTFs administered by national banks, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

37. Are the New York branches of out-of-state domestic banks required to comply with 23 NYCRR Part 500? (formerly FAQ 22)
+

New York is a signatory to the Nationwide Cooperative Agreement, Revised as of December 9, 1997 (the “Agreement”), an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Article V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches.  In keeping with the Agreement’s goals of interstate coordination and cooperation with respect to the supervision and examination of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination.  DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York.  With respect to the DFS cybersecurity regulation, given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

Cybersecurity FAQs for Producers and Individual Licensees

1. If I filed a Notice of Exemption from the Cybersecurity Regulation, do I need to file a Certification of Compliance?
+

Yes, you are required to file a Certification of Compliance even if you filed for an exemption under 23 NYCRR Part 500.19. The exemptions are limited in scope and do not exempt you from every requirement of the Cybersecurity Regulation. If you filed a Notice of Exemption under sections 500.19 (a), (c) or (d), you still are required to file a Certification of Compliance to confirm that you are in compliance with the provisions of the Cybersecurity Regulation that apply to you as specified in the regulation. Consequently, if you filed for an exemption under subsection (a) of 23 NYCRR 500.19, you still must: maintain a Cybersecurity Program as required in section 500.2; maintain a Cybersecurity Policy as required in section 500.3; limit Access Privileges as required in section 500.7; conduct a Risk Assessment as required by section 500.9; implement a Third Party Service Provider policy as required by section 500.11; limit your Data Retention as required in section 500.13; and provide Notices to the Superintendent as required by section 500.17, which includes filing an annual Certification of Compliance. If you filed for an exemption under subsections (c) or (d) of 23 NYCRR 500.19, you still must: conduct a Risk Assessment as required by section 500.9; implement a Third Party Service Provider Policy as required by section 500.11; limit your Data Retention as required in section 500.13; and provide Notices to the Superintendent as required by section 500.17, which includes filing an annual Certification of Compliance.

2. I already filed a Certification of Compliance so why did I receive a notification that I need to file a Certification of Compliance?
+

You received this notice because you have a license with DFS that is still missing a Certification of Compliance. If you hold more than one license, then you need to file a separate Certification of Compliance for each license you hold. This includes licenses for entities and licenses for individuals.

3. If I am currently a non-resident, do I need to file a Certification of Compliance?
+

All persons licensed by DFS are required to file a Certification of Compliance under the cybersecurity regulation unless you are exempt under section 500.19 (b). If you are still licensed by DFS and have not applied for that exemption, you must file a Certification of Compliance.

4. If I am licensed by DFS but not currently working in the field, do I still need to file a Certification of Compliance?
+

Yes. As long as you are licensed by DFS, you need to comply with the cybersecurity regulation.  However, you may qualify for a limited exemption pursuant to S 500.19(c) which applies to any regulated entity or licensed person that does not maintain any Information Systems and does not possess any Nonpublic Information, including information concerning former or potential customers. Even if you do qualify, 500.19(c) is a limited exemption that still requires compliance with certain provisions of the regulation (see chart above), including the requirement to submit an annual Certification of Compliance.

Exemptions

Section 19 of the Cybersecurity Regulation sets forth certain exemptions for which Covered Entities may qualify. All but one of the exemptions are limited in scope and require compliance with some sections of the Cybersecurity Regulation. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for each category of exempted entities.

Qualifications for Exemptions

The following summarizes the qualifications needed for each of the exemptions found in section 500.19:

  • 500.19(a)(1) – To qualify, a Covered Entity and all of its Affiliates combined must have a total of fewer than 10 employees (including independent contractors) who are “located in New York” or “responsible for business of the Covered Entity.” Thus, in determining whether there is a total of fewer than 10 employees, you must count all the following: (1) all the Covered Entity’s employees, regardless of location; (2) each Affiliate’s employees who are in New York; and (3) each Affiliate’s employees who are responsible for any aspect of the Covered Entity’s business, regardless of location. If an Affiliate’s employee provides any service to, or performs any task for, the Covered Entity, that employee must be counted, regardless of location. This includes, but is not limited to, any shared services provided by an Affiliate that are used by the Covered Entity.  This is a limited exemption.  See the chart below for a list of the sections of Part 500 with which a Covered Entity must still comply.
  • 500.19(a)(2) – To qualify, the Covered Entity must have less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years from its NY business operations and the NY business operations of its Affiliates. This is a limited exemption.  See the chart below for a list of the sections of Part 500 with which a Covered Entity still must comply.
  • 500.19(a)(3) – To qualify, the regulated Entity must have less than $10,000,000 in year-end total assets. This is a limited exemption.  See the chart below for a list of the sections of Part 500 with which a Covered Entity must still comply.
  • 500.19(b) – To qualify, a Covered Entity must be an employee, agent, representative or designee of another Covered Entity and all aspects of the employee’s, agent’s, representative’s, or designee’s business must be fully covered by the Cybersecurity Program of the other Covered Entity. Under this exemption, individuals and entities will be required to identify the regulated entity whose program they are following and provide the name of an appropriate representative who can confirm the individual or entity is fully covered by that cybersecurity program.  This is a full exemption. 
  • 500.19(c) – To qualify, regulated individuals and entities must not utilize an Information System and must not, and must not be required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information. This is a limited exemption. See the chart below for a list of the sections of Part 500 with which a Covered Entity must still comply.
  • 500.19(d) – To qualify, the regulated entity must be a captive insurance company that does not control nonpublic information other than information relating to its corporate parent company. This is a limited exemption.  See the chart below for a list of the sections of Part 500 with which a Covered Entity must still comply.

Requirements Remaining with Limited Exemptions

Exemption

Exempt From

Remaining Requirements

500.19 (a) (1) Fewer than 10 employees working in NYS

500.4- Chief Information Security Officer
500.5- Penetration Testing and Vulnerability
Assessments
500.6- Audit Trail
500.8- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.2- Cybersecurity Program
500.3- Cybersecurity Policy
500.7- Access Privileges
500.9- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (a) (2) Less than $5 million in gross annual revenue

500.19 (a) (3) Less than $10 million in year-end total assets

 

Exemption

Exempt From

Remaining Requirements

500.19 (c) Does not control any information systems and nonpublic information

500.2- Cybersecurity Program
500.3- Cybersecurity Policy
500.4- Chief Information Security Officer
500.5- Penetration Testing and Vulnerability
Assessments
500.6- Audit Trail
500.7- Access Privileges
500.8- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.9- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (d) Captive insurance companies that do not control nonpublic information other than information relating to its corporate parent company

Notify DFS of Exemptions

All Covered Entities that qualify for an exemption must file a Notice of Exemption with DFS stating their current exempt status pursuant to Section 500.19(e).  (See section titled Cybersecurity-related Filings below for information on how to file a Notice of Exemption.)

Exemptions filed after December 21, 2018 remain in effect until amended or terminated.  If there has been any change in exemption qualification status, Covered Entities should amend or terminate their exemption as soon as possible and have 180 days from the end of the fiscal year in which they cease to be exempt to comply with all applicable requirements of Part 500. To amend or terminate previous filings, see the next section titled Cybersecurity-related Filings, Amending or Terminating a Filed Exemption.

Cybersecurity-related Filings

Covered Entities are required to file annual certifications that they have complied with the Cybersecurity Regulation pursuant to § 500.17(b). They may also submit Notices of Exemption, including bulk filings if applicable.

How to File

These submissions should be made through the DFS Portal. To ensure that filings are matched to the correct individual or entity, the Portal requires use of an identifying number when filing. The identifying numbers are: NYS License number, NAIC/NY Entity number, NMLS number, or Institution number. Please make sure to have your NYS license number available when filing. The DFS Portal contains a look-up feature for anyone who does not know which number to use.

To get started, visit the DFS Portal:

Receipts

After each filing you complete, you will receive an email that includes a receipt number. The receipt will indicate the type of filing made as well as the year it was filed:

  • Notices of Exemption will have a receipt number that begins with the letter “E.”
  • Certifications of Compliance will have a receipt number that starts with the letter “C.”

Maintain a copy of this receipt number for your records.

The e-mail receipt is the only confirmation of your filing that you will receive.

Annual Certifications of Compliance

The Certification of Compliance is a critical governance pillar of the cybersecurity programs of all Covered Entities. Prior to April 15th of each year, all Covered Entities must file a Certification of Compliance confirming their compliance with the Cybersecurity Regulation for the previous calendar year. An entity or individual should only submit a Certification if they were in compliance with all portions of the regulations that applied to that Covered Entity during the time period the Certification covers. Even if a Covered Entity qualifies for an exemption pursuant to 500.19(a), (c), or (d), it has to submit a Certification of Compliance to demonstrate that it was in compliance with the sections of the regulation that apply pursuant to the particular exemption. (The exemption set forth in 500.19(b) is the only exemption that does not require a Covered Entity to file a Certification of Compliance.)

Certifications of Compliance for the calendar year 2022 are due by April 15, 2023.  Covered Entities that hold more than one license must file a separate Certification of Compliance for each license it holds.

Notices of Exemption

Covered Entities that qualify for an exemption must file a Notice of Exemption stating their current exempt status within 30 days of the determination that they so qualify.  To complete a Notice of Exemption, you must identify all exemptions for which you qualify.  (More detailed information on exemptions can be found in the section titled Exemptions above.)

Once filed, Notices of Exemption filed after December 21, 2018 remain in effect until amended or terminated (instructions on how to amend and terminate exemptions can be found below.)  In other words, if your exemption qualification status has not changed, you do not need to file another Notice of Exemption in any subsequent year.

Amending or Terminating a Filed Exemption

If the exemption qualification status of a Covered Entity has changed, then the Covered Entity must notify DFS of that change as soon as reasonably possible through the DFS Portal.

After an initial Notice of Exemption is filed, it can be amended or terminated through the DFS Portal. The amendment option should be used when exempt status changes, but the person or entity remains entitled to an exemption. Amending an exemption will leave at least one exemption in place.

Covered Entities that previously filed a Notice of Exemption and no longer qualify for an exemption, including those on whose behalf a Notice of Exemption was submitted through the bulk filing process, must terminate their exemption as soon as reasonably possible after they no longer qualify.

Pursuant to 500.19(g), when a Covered Entity no longer qualifies for an exemption, it has 180 days from its fiscal year end to comply with all applicable requirements of the Cybersecurity Regulation.

Bulk Exemption Filings

By permission, the Department will allow an employer that is regulated by DFS to file exemptions on behalf of its employees or captive agents who are also regulated by DFS through the bulk submission process. To be eligible to submit bulk filings, a regulated entity must have at least 50 employees or captive agents on whose behalf they have authority to file, and such filings can only be made on behalf of employees or captive agents that qualify for the same exemption.

If you qualify and would like access to file bulk submissions, email the Department at [email protected] from the email address associated with your Portal account, and attach a completed Request for Multiple Filing of Notices of Exemption Form (PDF).

Once approved, the Department will send filing instructions.  The submitter will need to provide the first and last name, DFS identification number, type of license, and email for every employee or captive agent. After approval, the Department will send more detailed instructions and the exemption spreadsheet. In the event that there are any changes, the employer will be able to add and terminate exemptions through the DFS Portal.

If a Notice of Exemption is filed on your behalf as part of a bulk filing, you will receive an email from DFS confirming the filing. The email will include a receipt number as well as list the exemption(s) filed. You must retain a copy of this receipt number for future reference as it will be the only receipt you will get from DFS.

The Department emphasizes that the employee or captive agent, for whom the employer is filing, is ultimately responsible for ensuring compliance with Part 500. It is, therefore, the responsibility of the employee or captive agent to notify the Department of any changes in their status.

Report a Cybersecurity Event

Covered Entities must notify the superintendent pursuant to § 500.17(a) of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred.

A Cybersecurity Event is defined in § 500.1(d) as any act or attempt, whether successful or not, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system.

A Cybersecurity Event is reportable if it falls into at least one of the following categories: (1) the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful. The Department recognizes that Covered Entities are regularly subject to many attempts to gain unauthorized access to, disrupt or misuse Information Systems and the information stored on them, and that many of these attempts are thwarted by the Covered Entities’ cybersecurity programs. The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature. The Department trusts that Covered Entities will exercise appropriate judgment as to which unsuccessful attacks must be reported and does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.

For more information about reporting a Cybersecurity Event, see FAQs 19-23.

To report a Cybersecurity Event to DFS, visit the DFS Portal.

Examinations

NEW MULTI-PRONGED APPROACH TO CYBERSECURITY SUPERVISION

To adapt to the growing destructive potential of cyberattacks, and to safeguard financial services organizations and the confidential information of New Yorkers, DFS needs access to more immediate information about the conditions of the firms they oversee. DFS launched a pilot program to obtain such information in December 2021. The program, a first among regulators, combines the traditional regulatory approach with modern cybersecurity risk assessment tools that will enhance the Department's ability to monitor cyber risk at the thousands of New York financial services companies it regulates. The incorporation of private-sector cybersecurity assessment tools allows DFS to better and faster assess the cyber risk facing DFS regulated entities. Moreover, this comprehensive assessment will provide a systematic approach to measuring cyber risk, improve transparency in regulatory oversight, drive policy, and enable DFS to focus its examinations and guidance on the areas of most significant risk. DFS plans to extend the new cybersecurity supervision tools to all regulated entities in 2022.

Regulatory Exam Data and Filings

DFS will continue to conduct regular examinations, and will also assess regulated entities for cybersecurity risk based on their historical examination reports, annual Cybersecurity Certifications of Compliance, Cyber Events reported, and other regulatory filings.

Cyber Controls Assessment Questionnaire

DFS will periodically issue a cyber controls assessment questionnaire, titled Cybersecurity and Information Technology Baseline Risk Questionnaire, to regulated companies to evaluate the strength of their cybersecurity programs. The assessment will be independent of the examination process and based on similar assessments used by industry and cyber insurers to assess risk for financial services companies.

SecurityScorecard’s cybersecurity ratings and analysis

DFS uses SecurityScorecard’s cybersecurity ratings and analysis for DFS regulated entities. SecurityScorecard derives its ratings from open-source information and internet scanning that provide an outside-in view of an entity’s cyber risk based on publicly-available data. Cybersecurity ratings such as those created by SecurityScorecard are now widely used by cyber insurers and other financial services firms.

Tools for Small Businesses

The Department of Financial Services recognizes that small businesses are the backbone of our economy. As doing business online becomes indispensable, it is essential that small businesses protect themselves and their customers from cybercrime. However, cybersecurity can be especially challenging for small businesses.

The Department is committed to supporting small businesses in this regard. To help improve their cybersecurity, DFS has partnered with the Global Cyber Alliance (GCA) to provide free cybersecurity resources. GCA has created a Cybersecurity Toolkit for Small Business that contains a set of free tools, guidance, resources, and training for small businesses. It is targeted to small businesses that do not have a dedicated cybersecurity staff.

Because governance is critical to effective cybersecurity, DFS also partnered with GCA to develop a set of sample cybersecurity policies based on cybersecurity best practices. These policies are designed to help small businesses install the governance and procedures necessary for effective cybersecurity. The sample policies provide a helpful starting point for all small businesses.

The sample policies include:


All cybersecurity policies created by a business should be tailored to the business’s specific needs, risks, resources, and structure. Some businesses may require additional actions beyond those suggested in the sample policies; likewise, not every action suggested will be required for every business. Policies based only on the samples therefore may not constitute full compliance with state and federal laws and regulations, including the Cybersecurity Regulation. Best practices can also change over time.

Businesses should review their policies for accuracy, completeness, and applicability, and update them as needed based on their risk assessments.

More guidance for small businesses can be found in our Information for Small Businesses section.

Other small business resources:

Events and Symposiums

Archived/Older Materials

Materials in this section were on our Cybersecurity Resource Center previously.  Given the evolving cybersecurity landscape, they have been replaced with materials set forth in the other sections of this Cybersecurity Resource Center.  Everything currently required of Covered Entities can be found in the sections above and the materials in the other sections supersede any conflicting material that might be found below.

Recent Updates

FAQ # FAQ Added or Edited Date
41.

Should Covered Entities use a cyber assessment framework as part of their risk assessment process?

12/09/2021
40.

Are cloud-based email, document hosting, and related services part of a Covered Entity’s internal networks which would require the use of Multi-Factor Authentication (“MFA”) pursuant to 23 NYCRR § 500.12(b)?

09/09/2021

39.

When there is a Cybersecurity Event at a Third Party Service Provider that affects a Covered Entity, is that Covered Entity required to notify DFS even if the Third Party Service Provider notifies DFS on the Covered Entity’s behalf?

09/09/2021
1.

When does a Covered Entity qualify for a limited exemption under 23 NYCRR § 500.19(a)? (Revised)

06/08/2021

Cybersecurity FAQs

When does a Covered Entity qualify for a limited exemption under 23 NYCRR § 500.19(a)?
+

The limited exemptions in 23 NYCRR § 500.19(a) are intended for smaller businesses.

If a Covered Entity files a Notice of Exemption with the Department representing that it qualifies for one of these limited exemptions, then the Covered Entity should maintain data and documentation supporting the Notice of Exemption for five years and shall provide such data and documentation if requested by the Department.

Under 23 NYCRR § 500.19(a)(1), a Covered Entity is exempted from certain enumerated requirements of Part 500 only when the Covered Entity and all of its Affiliates have a combined total of fewer than 10 employees (including independent contractors) who are “located in New York” or “responsible for business of the Covered Entity.” Thus, in determining whether there is a combined total of fewer than 10 employees, you must add together all of the following:

  • all the Covered Entity’s employees, regardless of location;
  • each Affiliate’s employees who are located in New York; and
  • each Affiliate’s employees who are responsible for any aspect of the Covered Entity’s business, regardless of the location of such employees. If an Affiliate’s employee provides any service to, or performs any task for, the Covered Entity, that employee must be counted, regardless of location. This includes, but is not limited to, any shared services provided by an Affiliate that are used by the Covered Entity.

Under 23 NYCRR § 500.19(a)(2), a Covered Entity qualifies for a limited exemption only when the gross annual revenue of New York business operations of the Covered Entity combined with the gross annual revenue of New York business operations of all of its Affiliates totals less than $5 million in each of the last three fiscal years.

Under 23 NYCRR § 500.19(a)(3), a Covered Entity qualifies for a limited exemption only when the year-end total assets of the Covered Entity combined with year-end total assets of all its Affiliates, totals less than $10 million. Note that, for purposes of this exemption, year-end total assets includes all assets of all affiliates regardless of location.

1. If a Covered Entity ceases to qualify for an exemption under Section 500.19, how should the Covered Entity notify the Department?
+

If a Covered Entity ceases to qualify for a previously claimed exemption, the Covered Entity should, as soon as reasonably possible, notify the Department through the DFS Web Portal. The Covered Entity will terminate his previously filed exemption, which will supersede any previous filings. The Department will note that, under Section 500.19(g), if a Covered Entity, as of its most recent fiscal year end, ceases to qualify for an exemption, “such Covered Entity shall have 180 days from such fiscal year end to comply with all applicable requirements of” 23 NYCRR Part 500. Please note that the Department might require a Covered Entity to periodically refile their exemptions to ensure that all Covered Entities still qualify for the claimed exemption.

2. How must a Covered Entity address cybersecurity issues with respect to Utilization Review (“UR”) agents?
+

When a Covered Entity is using an independent UR agent, that Covered Entity should be treating them as Third Party Service Providers (“TPSP”). Since UR agents will be receiving Nonpublic Information from that Covered Entity, that Covered Entity must assess the risks each TPSP poses to their data and systems and effectively address those risks. The Covered Entity will ultimately be responsible in ensuring that their data and systems are protected.

3. Can the same entity be a Covered Entity, an Authorized User, and a Third Party Service Provider?
+

Yes. Depending on the facts and circumstances, the same entity can be a Covered Entity, an Authorized User, and a Third Party Service Provider.

This is common in the case of independent insurance agents. For example, a DFS-licensed independent agent that works with multiple insurance companies is a Covered Entity with its own obligation to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of its Information Systems and Nonpublic Information. See 23 NYCRR 500.02.

In addition, when the independent agent holds or has access to any Nonpublic Information or Information Systems maintained by an insurance company with which it works (for example, for quotations, issuing a policy or any other data or system access), the independent agent will be a Third Party Service Provider with respect to that insurance company; and the insurance company, as a Covered Entity, will be required under 23 NYCRR 500.11 to have written policies and procedures to ensure the security of its Information Systems and Nonpublic Information that are accessible to, or held by, the independent agent (including but not limited to risk based policies and procedures for minimum cybersecurity practices, due diligence processes, periodic assessment, access controls, and encryption).

Further, an independent agent will also be an Authorized User if it participates in the business operations, and is authorized to use any Information Systems and data, of an insurance company that is a Covered Entity. In such a case, the insurance company must implement risk-based policies, procedures and controls to monitor the activities of the independent agent, as more fully described in 23 NYCRR 500.14.

It is also noted that, like any other Covered Entity, an insurance company may also be a Third Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent.

In all events, each Covered Entity is responsible for thoroughly evaluating its relationships with other entities in order to ensure that it is fully complying with all applicable provisions of 23 NYCRR Part 500.

4. If I have a limited exemption, what provisions of the regulation do I still need to comply with?
+

Please see charts.

Exemption

Exempt From

Still Required

500.19 (a) (1) Fewer than 10 employees working in NYS

500.04- Chief Information Security Officer
500.05- Penetration Testing and Vulnerability
Assessments
500.06- Audit Trail
500.08- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.02- Cybersecurity Program
500.03- Cybersecurity Policy
500.07- Access Privileges
500.09- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (a) (2) Less than $5 million in gross annual revenue

500.19 (a) (3) Less than $10 million in year-end total assets

 

Exemption

Exempt From

Still Required

500.19 (c) Does not control any information systems and nonpublic information

500.02- Cybersecurity Program
500.03- Cybersecurity Policy
500.04- Chief Information Security Officer
500.05- Penetration Testing and Vulnerability
Assessments
500.06- Audit Trail
500.07- Access Privileges
500.08- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan

500.09- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

500.19 (d) Captive insurance companies that do not control nonpublic information other than information relating to its corporate parent company

5. How must a Covered Entity address cybersecurity issues with respect to a Bank Holding Company (“BHC”)?
+

Under 23 NYCRR Part 500, the Covered Entity is responsible for compliance with respect to its Information Systems. Therefore, it must evaluate and address any risks that a BHC (or other affiliate of the Covered Entity) presents to the Covered Entity’s Information Systems and/or Nonpublic Information. For example, if a Covered Entity shares its data and systems with a BHC, the Covered Entity must ensure that such shared data and systems are protected. Specifically, the Covered Entity must evaluate and address in its Risk Assessment, cybersecurity program and cybersecurity policies the risks that the BHC poses with respect to such shared Information Systems and/or Nonpublic Information. In the same manner, a Covered Entity must also evaluate and address other cybersecurity risks that a BHC may pose to it. A Covered Entity will ultimately be held responsible for protecting its Information Systems and Nonpublic Information that are shared with a BHC or that otherwise may be subjected to risk by a BHC. Other regulatory requirements may also apply, depending on the individual facts and circumstances.

6. Can a Common Trust Fund (“CTF”) that is administered by another Covered Entity rely on the cybersecurity program of that Covered Entity?
+

A CTF that is administered by another Covered Entity can rely on the cybersecurity program of that Covered Entity, as long as that cybersecurity program conforms with 23 NYCRR Part 500 and fully protects the CTF. Under these circumstances, the Covered Entity must submit a Certification of Compliance with the Department.

If the CTF is administered by a national bank, then the Department will defer to that bank’s primary regulator to ensure that the CTF has a proper cybersecurity program. Further, to protect markets, the Department strongly encourages all financial entities, including CTFs administered by national banks, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

7. If I am an individual with no Board of Directors, then who can file my Certification of Compliance?
+

23 NYCRR 500.01 defines Senior Officer as "the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity…" A Covered Entity is defined as "any Person operating under or required to operate under a licenses, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance law or the Financial Services Law". Individuals filing a Certification of Compliance for their own individual license should file their Certification selecting the self option. When choosing self, you will be able to file for your own individual license and will be acting as a Senior Officer, as defined in the Regulation.

8. Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500?
+

Under N.Y. Bank Law § 590(2)(b-1), an exempt entity will need to prove its "exempt organization" status. Since the notification is not an authorization from the Department, an Exempt Mortgage Servicer, under N.Y. Bank Law § 590(2)(b-1), will not fit the definition of a Covered Entity under 500.01(c). However, Exempt Mortgage Loan Servicers that also hold a license, registration, or received approval under the provisions of Part 418.2(e) are required to prove exemption and comply with regulation. With respect to the DFS cybersecurity regulation, given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

9. Are Not-for-profit Mortgage Brokers Covered Entities under 23 NYCRR 500?
+

Yes. Not-for-profit Mortgage Brokers are Covered Entities under 23 NYCRR 500. 3 NYCRR Part 39.4(e) provides that Mortgage Brokers "which seek exemption may submit a letter application" to the Mortgage Banking unit of the Department at the address set forth in section 1.1 of Supervisory Policy G 1, "together with such information as may be prescribed by" the Superintendent. As this authorization is necessary for a Not-for-profit Mortgage Broker, it is a Covered Entity under 23 NYCRR 500.

10. Do Covered Entities have any obligations when acquiring or merging with a new company?
+

Section 500.09(a) states that the "Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity's Information Systems, Nonpublic Information or business operations." Furthermore, Section 500.08(b) states that the institution's application security "procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity." As such, when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The Department emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.

11. Are Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities?
+

Yes. Both HMOs and CCRCs are Covered Entities. Pursuant to the Public Health Law, HMOs must receive authorization and prior approval of the forms they use and the rates they charge for comprehensive health insurance in New York. The Public Health Law subjects HMOs to DFS authority by making provisions of the Insurance Law applicable to them. CCRCs are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by DFS. The Public Health Law also subjects HMOs and CCRCs to the examination authority of the Department. As this authorization is fundamental to the ability to conduct their businesses, HMOs and CCRCs are Covered Entities because they are "operating under or required to operate under" DFS authorizations pursuant to the Insurance Law. Moreover, since these entities have sensitive, private data, their compliance with cybersecurity protection is necessary.

12. Assuming there is no continuous monitoring under 23 NYCRR Section 500.05, does the Department require that a Covered Entity complete a Penetration Test and vulnerability assessments by March 1, 2018?
+

The Regulation requires Covered Entities to have a plan in place that provides for Penetration Testing to be done as appropriate to address the risks of the Covered Entity. Such plan must encompass Penetration Testing at least annually and bi-annual vulnerability assessments, but the first annual Penetration Testing and first vulnerability assessment need not have been concluded before March 1, 2018 under Section 500.05. The Department expects all institutions with no continuous monitoring to complete robust Penetration Testing and vulnerability assessment in a timely manner as they are a crucial component of a cybersecurity program.

13. If Covered Entity A utilizes Covered Entity B (not related to Covered Entity A) as a Third Party Service Provider, and Covered Entity B provides Covered Entity A with evidence of its Certification of Compliance with NYSDFS Cybersecurity Regulations, could that be considered adequate due diligence under the due diligence process required by Section 500.11(a)(3)?
+

No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third Party Service Provider poses to their data and systems and effectively address those risks. The Department has provided a two year transitional period to address these risks and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019.

14. Does a Covered Entity need to amend its Notice of Exemption in the event of changes after the initial submission (e.g., name changes or changes to the applicable exemption(s))?
+

If there are changes, the Covered Entity will be able to amend from their initial filing through the DFS Web Portal. When accessing the portal, Covered Entities will need to choose the “amend exemption” option and file an updated exemption by selecting the exemptions that they still qualify for. For example, if a Covered Entity originally submitted a Notice of Exemption stating that it qualified for exemptions under Sections 500.19(b) and 500.19(a)(1), but it now only qualifies for a Section 500.19(a)(1) exemption, then the Covered Entity must amend their Notice of Exemption with the correct information. Please note that the Department might require a Covered Entity to periodically refile their exemptions to ensure that all Covered Entities still qualify for the claimed exemption.

The Department also emphasizes that Notices of Exemption should be filed electronically via the DFS Portal. The Covered Entity should utilize the account that they used to file the original Notice of Exemption or create a new account if an individual filing was previously not made. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.

15. Should a Covered Entity send supporting documentation along with the Certification of Compliance?
+

The Covered Entity must submit the compliance certification to the Department and is not required to submit explanatory or additional materials with the certification. The certification is intended as a stand-alone document required by the regulation. The Department also expects that the Covered Entity maintains the documents and records necessary that support the certification, should the Department request such information in the future. Likewise, under 23 NYCRR Section 500.17, to the extent a Covered Entity has identified areas, systems, or processes that require material improvement, updating or redesign, the Covered Entity must document such efforts and maintain such schedules and documentation for inspection during the examination process or as otherwise requested by the Department.

16. Is a Covered Entity entitled to an exemption under Section 500.19(b) if that Covered Entity is an employee, agent, representative or designee of more than one other Covered Entity?
+

Section 500.19(b) states that a Covered Entity who is an "employee, agent, representative or designee of a Covered Entity . . . is exempt from" 23 NYCRR Part 500 and "need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity" (emphasis added). This exemption requires an entire employee, agent, representative or designee to be fully covered by the program of another Covered Entity. Therefore, a Covered Entity who is an employee, agent, representative or designee of more than one other Covered Entity will only qualify for a Section 500.19(b) exemption where the cybersecurity program of at least one of its parent Covered Entities fully covers all aspects of the employee's, agent's, representative's or designee's business.

17. Does a Covered Entity that qualifies for an exemption under 23 NYCRR Section 500.19(b) need to file a notice of exemption?
+

Yes. 23 NYCRR 500.19 subsections (a) through (d) set forth certain limited exemptions from different requirements of Part 500. Pursuant to 23 NYCRR Section 500.19(e): "[a] Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption" (emphasis added).

18. Under Section 500.04(b), can the requirement that the CISO report in writing at least annually "to the Covered Entity's board of directors" (the "board") be met by reporting to an authorized subcommittee of the board?
+

No. The Department emphasizes that a well-informed board is a crucial part of an effective cybersecurity program and the CISO's reporting to the full board is important to enable the board to assess the Covered Entity's governance, funding, structure and effectiveness as well as compliance with 23 NYCRR Part 500 or other applicable laws or regulations.

19. Can a Covered Entity file a notice of exemption on behalf of its employees or agents?
+

By permission, the Department will approve certain Covered Entities to file notices of exemption on behalf of their employees or captive agents who are also Covered Entities. This option is only available for filings of 50 or more employees or captive agents and only if all employees or captive agents qualify for the same exemptions. Covered Entities with over 50 employees or agents on whose behalf they have authority to file should contact the Department at [email protected] from the email to which their Cybersecurity portal account is associated and attach the Request for Multiple Filing of Notices of Exemption. The Department will coordinate with the Covered Entity to submit a one-time filing form to effectuate an exemption filing for multiple covered entities. The submitter will need to provide the first and last name, DFS identification number, type of license, and email for every employee or captive agent. After approval, the Department will send more detailed instructions and the exemption spreadsheet. In the event that there are any changes, the entity will be able to add and terminate exemptions through the portal. The Department emphasizes that the employee or captive agent, for whom the Covered Entity is filing, continues to be ultimately responsible in ensuring compliance with 23 NYCRR Part 500. It remains the responsibility of the employee or captive agent to notify the Department of any changes in their status.

20. When is an unsuccessful attack a Cybersecurity Event that has or had “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” under the reporting requirements of 23 NYCRR Section 500.17(a)(2)?
+

The Department recognizes that Covered Entities are regularly subject to many attempts to gain unauthorized access to, disrupt or misuse Information Systems and the information stored on them, and that many of these attempts are thwarted by the Covered Entities’ cybersecurity programs. The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.

The Department believes that analysis of unsuccessful threats is critically important to the ongoing development and improvement of cybersecurity programs, and Covered Entities are encouraged to continually develop their threat assessment programs. Notice of the especially serious unsuccessful attacks may be useful to the Department in carrying out its broader supervisory responsibilities, and the knowledge shared through such notice can be used to timely improve cybersecurity generally across the industries regulated by the Department. Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.

The Department recognizes that Covered Entities’ focus should be on preventing cybersecurity attacks and improving systems to protect the institution and its customers. The Department’s notice requirement is intended to facilitate information sharing about serious events that threaten an institution’s integrity and that may be relevant to the Department’s overall supervision of the financial services industries. The Department trusts that Covered Entities will exercise appropriate judgment as to which unsuccessful attacks must be reported and does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.

21. Are the New York branches of out-of-state domestic banks required to comply with 23 NYCRR Part 500?
+

New York is a signatory to the Nationwide Cooperative Agreement, Revised as of December 9, 1997 (the “Agreement”), an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Article V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches. In keeping with the Agreement’s goals of interstate coordination and cooperation with respect to the supervision and examination of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination. DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York. With respect to the DFS cybersecurity regulation, given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

22. How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other affiliates
+

When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies (see 23 NYCRR Sections 500.09, 500.02 and 500.03, respectively). Other regulatory requirements may also apply, depending on the individual facts and circumstances.

23. If a Covered Entity qualifies for a limited exemption, does it need to comply with 23 NYCRR Part 500?
+

The exemptions listed in 23 NYCRR Part 500.19 are limited in scope. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for these exempted entities. As such, Covered Entities that qualify for those exemptions are only exempt from complying with certain provisions as set forth in the regulation, but must comply with the sections listed in the exemption that applies to that Covered Entity.

24. Under 23 NYCRR 500.17(a), is a Covered Entity required to give notice to the Department when a Cybersecurity Event involves harm to consumers?
+

Yes. 23 NYCRR 500.17(a) must be read in combination with other laws and regulations that apply to consumer privacy. Under 23 NYCRR 500.17(a)(1), a Covered Entity must give notice to the Department of any Cybersecurity Event “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” which includes many Cybersecurity Events that involve consumer harm, whether actual or potential. To offer just one example, New York’s information security breach and notification law requires notices to affected consumers and to certain government bodies following a data breach. Under 23 NYCRR 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to the Department.

In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” To the extent a Cybersecurity Event involves material consumer harm, it is covered by this provision.

25. Is a Covered Entity required to give notice to consumers affected by a Cybersecurity Event?
+

New York’s information security breach and notification law (General Business Law Section 899-aa), requires notice to consumers who have been affected by cybersecurity incidents. Further, under 23 NYCRR Part 500, a Covered Entity’s cybersecurity program and policy must address, to the extent applicable, consumer data privacy and other consumer protection issues. Additionally, Part 500 requires that Covered Entities address as part of their incident response plans external communications in the aftermath of a breach, which includes communication with affected customers. Thus, a Covered Entity’s cybersecurity program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of 23 NYCRR Part 500.

27. May a Covered Entity adopt portions of an Affiliate's cybersecurity program without adopting all of it?
+

A Covered Entity may adopt an Affiliate's cybersecurity program in whole or in part, as long as the Covered Entity's overall cybersecurity program meets all requirements of 23 NYCRR Part 500. The Covered Entity remains responsible for full compliance with the requirements of 23 NYCRR Part 500. To the extent a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department.

28. May the certification requirement of 23 NYCRR 500.17(b) be met by an Affiliate?
+

No. Each Covered Entity is required to annually certify its compliance with Part 500 as required by 23 NYCRR 500.17(b).

29. To the extent a Covered Entity uses an employee of an Affiliate as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)?
+

To the extent a Covered Entity utilizes an employee of an Affiliate to serve as the Covered Entity's CISO for purposes of 23 NYCRR 500.04(a), the Affiliate is not considered a Third Party Service Provider for purposes of 23 NYCRR 500.04(a)(2)-(3). However, the Covered Entity retains full responsibility for compliance with the requirements of 23 NYCRR Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part.

30. Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500?
+

Yes. It is further noted that, in such cases, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of 23 NYCRR Part 500, whether through the branch's, agency's or representative office's development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.

31. Where interrelated requirements under 23 NYCRR Part 500 are subject to different transitional periods, when and to what extent are Covered Entities required to comply with currently applicable requirements that are impacted by separate requirements for which the applicable transitional period has not yet ended?
+

Covered Entities have 180 days from the March 1, 2017, effective date to come into compliance with the requirements of 23 NYCRR Part 500 unless otherwise specified in 23 NYCRR 500.22. While complying with currently applicable requirements under the final rule, Covered Entities are generally not required to comply with, or incorporate into their cybersecurity programs, provisions of the regulation for which the applicable transitional period has not yet ended. For example, while Covered Entities will be required to have a cybersecurity program as well as policies and procedures in place by August 28, 2017, the Department recognizes that in some cases there may be updates and revisions thereafter that incorporate the results of a Risk Assessment later conducted, or other elements of Part 500 that are subject to longer transitional periods.

32. Is a Covered Entity required to certify compliance with all the requirements of 23 NYCRR 500 on February 15, 2018?
+

Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) by February 15, 2018. This initial certification applies to and includes all requirements of 23 NYCRR Part 500 for which the applicable transitional period under 23 NYCRR 500.22 has terminated prior to February 15, 2018. Accordingly, Covered Entities will not be required to submit certification of compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019. Due to the outbreak of COVID-19, the deadline for certification of compliance with 23 NYCRR 500.11 has been extended until June 1, 2020.

33. May a Covered Entity submit a certification under 23 NYCRR 500.17(b) if it is not yet in compliance with all applicable requirements of Part 500?
+

The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 as of December 31 of the previous calendar year. To the extent a particular requirement of Part 500 is subject to an ongoing transitional period under 23 NYCRR 500.22 at the time of certification, that requirement would not be considered applicable for purposes of a certification under 23 NYCRR 500.17(b).

34. What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.05?
+

Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of 23 NYCRR 500.05.

35. When is a Covered Entity required to report a Cybersecurity Event under 23 NYCRR 500.17(a)?
+

23 NYCRR 500.17(a) requires Covered Entities to notify the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred. A Cybersecurity Event is reportable if it falls into at least one of the following categories:

  • An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful.
  • the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
  • the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.
36. How should a Covered Entity submit Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events?
+

Cybersecurity Notices of Exemption, Certifications of Compliance, and Notices of Cybersecurity Events should be filed electronically via the DFS Web Portal as instructed. You will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.

37. Can an entity be both a Covered Entity and a Third Party Service Provider under 23 NYCRR Part 500?
+

Yes. If an entity is both a Covered Entity and a Third Party Service Provider, the entity is responsible for meeting the requirements of 23 NYCRR Part 500 as a Covered Entity.

38. Are all Third Party Service Providers required to implement Multi-Factor Authentication and encryption when dealing with a Covered Entity?
+

23 NYCRR 500.11, among other things, generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity's Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. 23 NYCRR 500.11(b) requires a Covered Entity to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, 23 NYCRR 500.11(b) requires Covered Entities to make a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.

39. When there is a Cybersecurity Event at a Third Party Service Provider that affects a Covered Entity, is that Covered Entity required to notify DFS even if the Third Party Service Provider notifies DFS on the Covered Entity’s behalf?
+

Yes. Under 23 NYCRR Section 500.17(a), “[e]ach Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred.” Thus, if a Cybersecurity Event at a Third Party Service Provider affects a Covered Entity, then the Covered Entity itself must provide notice to DFS directly – regardless of whether the Third Party Service Provider is also a Covered Entity or offers to provide notice on the Covered Entity’s behalf. Reporting Cybersecurity Events to the Department is not only an important obligation of all Covered Entities, but also enables the Department to more rapidly identify techniques used by attackers so that DFS can alert industry, respond quickly to new threats, and continue to effectively protect consumers and the financial services industry.

40. Are cloud-based email, document hosting, and related services part of a Covered Entity’s internal networks which would require the use of Multi-Factor Authentication (“MFA”) pursuant to 23 NYCRR § 500.12(b)?
+

Yes. Under Section 500.12(b), MFA is required when accessing internal networks from an external network unless the Covered Entity’s Chief Information Security Officer has approved in writing the use of reasonably equivalent or more secure access controls. Internal networks include email, document hosting, and related services whether on-premises or in the cloud such as, for example, O365 and G-Suite. These services contain Nonpublic Information that Covered Entities are required to protect.

41. Should Covered Entities use a cyber assessment framework as part of their risk assessment process?
+

The risk assessments required by Sections 500.9 & 500.2(b) are the foundation of the comprehensive cybersecurity program required by DFS’s Cybersecurity Regulation, and a cyber assessment framework is a useful component of a comprehensive risk assessment. DFS does not require a specific standard or framework for use in the risk assessment process. Rather, we expect Covered Entities to implement a framework and methodology that best suits their risk and operations. Among the widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.