Product News

Find out about our new product features, the latest platform changes, and discover company announcements before anyone else.

Risk Management

Stay up to date on third-party risk management best practices and techniques, and learn about new regulations for third party risk.

Security Research

Keep up with research around the biggest data breaches, malware infections, IoT risks and all the latest news in cybersecurity.

NY DFS Cybersecurity Requirements: Who Should Be Listening

For those companies who have been following the New York Department of Financial Services Cybersecurity Requirements and have educated themselves on everything about the regulation, it was easy to jump right into the substance of the requirements.

 

But for those of you who are just catching up and beginning to evaluate this state cybersecurity rule, the first step is understanding whether and to what extent this requirement can impact your company.

 

Taking a look at the scope of the applicability of this regulation, the NY DFS Cybersecurity Requirement states that it is to be applied to “Covered Entities.”

 

Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. –23NYCRR500 Section 500.01(c)

 

Put simply, if in the course of your company’s business, it does not operate under or is not required to maintain any of the above documents, it likely does not fall within the scope of companies covered by the NY DFS cybersecurity regulations. (But as we’ll discuss later in this post, that doesn’t mean you should ignore these requirements.)

Even if your company falls under the “Covered Entity” entity umbrella, per Section 500.19 (“Exemptions”) of the regulation, there are still several carve-outs that exempt certain types of Covered Entities from being subject to all of the NY DFS cybersecurity requirements. It’s important to understand whether your company falls within one of these exemptions as it may impact how you prioritize your ongoing initiatives to improve your company’s cybersecurity health. The categories of exempted companies are as follows:

 

  • Type of Covered Entity: Has fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity.
    • What This Type Is Exempt From: Sections 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan).
    • What Is Still Left To Address:  500.02 (Cybersecurity Program), 500.03 (Cybersecurity Policy), 500.07 (Access Privileges), 500.09 (Risk Assessment), 500.11 (Third Party Service Provider Security Policy), 500.13 (Limitations on Data Retention)

 

  • Type of Covered Entity: Has less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates
    • What This Type is Exempt From: Sections 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan).
    • What Is Still Left to Address: 500.02 (Cybersecurity Program), 500.03 (Cybersecurity Policy), 500.07 (Access Privileges), 500.09 (Risk Assessment), 500.11 (Third Party Service Provider Security Policy), 500.13 (Limitations on Data Retention),

 

  • Type of Covered Entity: Has less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.
    • What This Type is Exempt From: Sections 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan).
    • What Is Still Left to Address: 500.02 (Cybersecurity Program), 500.03 (Cybersecurity Policy), 500.07 (Access Privileges), 500.09 (Risk Assessment), 500.11 (Third Party Service Provider Security Policy), 500.13 (Limitations on Data Retention)

 

  • Type of Covered Entity: Does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information.  
    • What This Type is Exempt From: Sections 500.02 (Cybersecurity Program), 500.03 (Cybersecurity Policy), 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail), 500.07 (Access Privileges), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan).  
    • What Is Still Left to Address: 500.09 (Risk Assessment), 500.11 (Third Party Service Provider Security Policy), 500.13 (Limitations on Data Retention)

 

  • Type of Covered Entity: Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates)
    • What This Type Is Exempt From: Sections 500.02 (Cybersecurity Program), 500.03 (Cybersecurity Policy), 500.04 (Chief Information Security Officer), 500.05 (Penetration Testing and Vulnerability Assessments), 500.06 (Audit Trail), 500.07 (Access Privileges), 500.08 (Application Security), 500.10 (Cybersecurity Personnel and Intelligence), 500.12 (Multi-Factor Authentication), 500.14 (Training and Monitoring), 500.15 (Encryption of Nonpublic Information), and 500.16 (Incident Response Plan).
    • What Is Still Left to Address: 500.09 (Risk Assessment), 500.11 (Third Party Service Provider Security Policy), 500.13 (Limitations on Data Retention)

 

  • Other Exemption Type: An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity.
    • What This Type is Exempt From: The whole part; this type does need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.
    • What Is Still Left to Address: Any elements not covered by the cybersecurity program of the Covered Entity.

 

  • Other Exemption Type: Persons subject to Insurance Law section 1110; Persons subject to Insurance Law section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.
    • What This Type is Exempt From: All the requirements, provided such Persons do not otherwise qualify as a Covered Entity.
    • What Is Still Left To Address: Checking that there is no other qualification as a Covered Entity.

If your company falls within any of these exemptions,  you are required to file a Notice of Exemption within 30 days of the determination that the Covered Entity is exempt. However, a partial or complete exemption shouldn’t be construed as a license to ignore the security controls outlined by this regulation, because NY DFS standards may be adopted by other parties as a benchmark for good cybersecurity. This means, a lack of adherence to these standards could –depending on the parties and circumstances involved- have ramifications in mergers, acquisitions, insurance, and so on, even for those not directly subject to the regulation.

 

If your company does not fall within any of these exemptions (or if you fall within a partial exemption) and you’re ready to start tackling the requirements, click here for more information.

 

Disclaimer: The contents of this post are intended to convey general information only and not to provide legal advice or opinions.  You should contact your attorney to obtain advice with respect to any particular issue or problem.

Security Roundup: Uber's Chat System, IoT Exploits, and More
Understanding the Basics: NIST Cybersecurity Framework