NYS CyberSecurity Certification Due April 15th
CyberSecurity Certification
The deadline for NYS resident insurance licensed professionals to file your cybersecurity certification is DUE April 15th!
https://www.dfs.ny.gov/industry_guidance/cybersecurity
Helpful How To’s
- Instructions on How to File Certification of Compliance
- Sample Security Policy Template
- Instructions on Filing a New or Initial Notice of Exemption
FAQs
Q: I’ve qualified for an exemption in previous years, do I need to do anything?
A: Yes, even if you fall into one of the exempt categories, you must go on to the website listed to the right and file a notice of exemption.
Q: Great, what are the steps for filing?
A: Go to https://www.dfs.ny.gov/industry_guidance/cybersecurity
- Go to “Industry Guidance” and in that section go to “Cybersecurity Resource Center”
- In the middle of the page you will see “Instructions on How to File”
- Enter your account information and sign in
- To file an exemption click “Begin” under the Exemption heading
- Enter your NYS Insurance license number
- This should bring up your name (or corporate name) and click “Next”
- Select “This is the first exemption filed for this entity or individual”
- This will bring up a list of exemptions and select those that you qualify for (You can select more than one, if applicable). Click submit and then done. You will receive a receipt number which will also be emailed to you
Q: What are the exemptions?
500.19(a)(1) – You are entitled to this exemption when a Covered Entity has fewer than 10 employees, inclduing independent contractors. THis is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements
500.19(a)(2) – You are entitled to this exemption when a Covered Entity has less than $5,000,000 in gross annual revenue in each of the last 3 fiscal years from NY business. This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements.
500.19(a)(3) – You are entitled to this exemption when a Covered Entity has less than $10,000,000 in year-end total assets. This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements
500.19(b) – You are entitled to this exemption when you are an employee, agent, representative, or designee of another Covered Entity and you are following that entity’s cybersecurity program. Under this exemption persons do not need to create their own program, but will be required to idenitfy the Covered Entity’s whose program you ae following to claim this exemption.
500.19(c) – You are entitled to this exemption when a Covered Entity does not operate, maintain, utilize, or control any IT systems and does not,and is not required to control. own, access, generate, recieve or possess Nonpublic Information. This is a limited exemption and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements
500.19(d) – You are entitled to this exemption if you are a Covered Entity that is a captive insurance company that does not, and is not required to control, own, access, generate, recieve, or possess Nonpublic information
Q: If I’m exempt, are there any requirements for me?
A: Yes, if you filed for an exemption under subsection (a) of 23 NYCRR 500.19, you still must: maintain a Cybersecurity Program as required in section 500.02; maintain a Cybersecurity Policy as required in section 500.03; limit Access Privileges as required in section 500.07; conduct a Risk Assessment as required by section 500.09; implement a Third Party Service Provider policy as required by section 500.11; limit your Data Retention as required in section 500.13; and provide Notices to the Superintendent as required by section 500.17, which includes filing an annual Certification of Compliance. If you filed for an exemption under subsections (c) or (d) of 23 NYCRR 500.19, you still must: conduct a Risk Assessment as required by section 500.09; implement a Third Party Service Provider Policy as required by section 500.11; limit your Data Retention as required in section 500.13; and provide Notices to the Superintendent as required by section 500.17, which includes filing an annual Certification of Compliance.
Q: Is there a template for a privacy policy I can use to create my own policy?
A: Yes, see above to access the sample policy template link.
This is an annual certificate filing requirement. If you have any issues, please contact our office.
Still not sure? Call your Broker Manager or KAFL Team Member at 1 (800)-272-6488