Cybersecurity Resource Center

All entities and persons regulated or licensed by the Department of Financial Services are required to file various cybersecurity notices to the Superintendent.

Memo from the Superintendent (PDF)
Text of Regulation (NYCRR)
General FAQs about 23 NYCRR Part 500 - Cybersecurity
FAQs for Producers
Information about 2021 filings
Guidance Regarding the Adoption of an Affiliate’s Cybersecurity Program
Guidance Regarding Cybersecurity Awareness During COVID-19 Pandemic
Cybersecurity Tools for Small Businesses
Cybersecurity Reports and Publications

Recent Updates	Date
Industry Letter: Guidance Regarding the Adoption of an Affiliate’s Cybersecurity Program	10/22/2021
FAQs: FAQs on 23 NYCRR Part 500 Cybersecurity Notice of New FAQs Added	09/09/2021
Industry Letter: Guidance on Ransomware Prevention	06/30/2021
Press Release: Department of Financial Services Announces Cybersecurity Settlement with First Unum and Paul Revere Life Insurance Companies	05/13/2021
Report: SolarWinds Supply Chain Attack	04/27/2021
Industry Letter: Pulse Connect Secure Critical Vulnerability	04/26/2021
Industry Letter: Cyber Fraud Alert on Nonpublic Information (NPI) Follow-Up - New York Insurance Identification (ID) Card Barcode Vulnerability	04/19/2021
Press Release: Department of Financial Services Announces Cybersecurity Settlement with National Securities Corporation	04/12/2021
Industry Letter: Cyber Fraud Alert Cyber Fraud Alert Regarding Prefilled Nonpublic Information	03/30/2021
Industry Letter: Cybersecurity Alert to Regulated Entities Concerning Microsoft Exchange Email Servers	03/09/2021
Press Release: Department of Financial Services Announces Cybersecurity Settlement with Residential Mortgage Services, Inc.	03/03/2021
Industry Letter: Cyber Fraud Alert regarding Instant Quote Websites	02/16/2021
Circular Letter: Circular Letter No. 2 (2021): Cyber Insurance Risk Framework	02/04/2021
Industry Letter: SolarWinds Supply Chain Compromise Alert	12/18/2020
Report: Twitter Cybersecurity Investigation	10/14/2020

Report a Cybersecurity Event

To report a Cybersecurity Event to DFS, visit the DFS Portal.

Key Dates for 2021 Filings

April 15, 2021 - Compliance Certification Filing Deadline

Regulated entities and licensed persons must file the Certification of Compliance for the calendar year 2020 by April 15, 2021.

Covered Entities Do Not Need to File New Notices of Exemption

Any DFS regulated entity or licensed person who filed a Notice of Exemption previously does not need to refile a Notice of Exemption. However, if your exempt status has changed, then the entity or individual should amend or terminate their filing through the DFS portal.

How to File

The DFS Portal is available for filings. To ensure that filings are matched to the appropriate Covered Entity or licensed person, we encourage the use of an identifying number when filing. Identifying numbers are: New York State License number, NAIC/NY Entity number, NMLS number or Institution number. Please make sure that you have your license number available when you make your filing. A look-up feature is included in the Portal for anyone who does not know which number to use.

To get started please visit the DFS Cybersecurity Portal:

DFS Portal

New or Initial Exemption Filings (PDF)
Amend previous Exemption Filings (PDF)
Terminate previous Exemption Filings (PDF)
Certification of Compliance (PDF)

Bulk Filing Request

By permission, the Department will approve certain Covered Entities to file notices of exemption on behalf of other Covered Entities. To gain access to the bulk filings, the Covered Entity needs to:

Have at least 50 employees or captive agents
Only file on behalf of employees or captive agents
Only file on behalf of employees or captive agents that qualify for the same exemption

To gain access to the bulk filings, email the Department at [email protected] from the email address associated with your Portal account, and attach a completed Request for Multiple Filing of Notice of Exemption (PDF) Form.

Once approved, the Department will send filing instructions and the template that must be used for filing.

Exemptions

Section 19 of the DFS cybersecurity regulation contains several exemptions. Each have been crafted to meet the particular circumstances of the Covered Entity, including smaller organizations, licensed persons who are following the cybersecurity program of another regulated company, or those who do not have any Information Systems and Nonpublic Information. Most exemptions are limited in nature and require Covered Entities to still comply with some provisions of the Regulation. All regulated persons and companies that wish to claim an exemption must file with DFS a Notice of Exemption stating their current exempt status if there was no exemption previously filed.

Exemptions previously filed have not expired. If there are changes, Covered Entities should Amend previous filings or Terminate previous filings.

Notice of Exemption

Any DFS regulated entity or licensed person that is currently entitled to an exemption must file an Initial Notice of Exemption prior to the due date for the annual Certification of Compliance. Regulated entities and licensed persons must file the Certification of Compliance by April 15 to certify for the previous calendar year.
Information About Exemptions
Instructions on Filing a New or Initial Notice of Exemption (PDF)

Receipts

After each filing you complete, you will receive an email that includes a receipt number. The receipt will indicate the year the filing was made. The receipt will also indicate the type of filing made:

Notice of Exemption will have a receipt number that begins with the letter “E.”
Certifications of Compliance will have a receipt number that starts with the letter “C.”

You should maintain a copy of this email in your records for future reference.

Questions

If you have questions about the Cybersecurity filing process or regulation email [email protected]