Cyber security New York
Who must file:
All entities/persons who are either regulated or licensed by the New York State Department of Financial Services must file cyber security notices to the Superintendent.
Any regulated person/company who is eligible for an exemption from Cyber security New York must file a notice of exemption with DFS. You must file the notice of exemption status before the certification deadline of February 15, 2019. Even if you have previously filed, you must refile. You do not need to either remove or terminate previously filed Notices of Exemptions. If you are a DFS regulated entity or licensed person and qualify for an exemption, you must file an initial exempt status during January 2019. Before your annual certification, you must do this. Thereafter, if you have any status change, you will need to make them through filing either an amendment or termination.
Update for 2020
Key Dates for 2020 Filings
April 15, 2020 – Compliance Certification Filing Deadline
- Regulated entities and licensed people must file the Certification of Compliance for calendar year 2019 between January 1, 2020, and April 15, 2020. Starting in 2020, DFS will extend the date for filing the Certification of Compliance from February 15th of each year to April 15th of each year.
Covered Entities Do Not Need to File New Notices of Exemption
- Any DFS regulated entity or licensed person who already filed a Notice of Exemption will not need to refile a new exemption. If there are any changes, since you last filed, then the entity or individual should update their status.
How do I File for Cyber security New York:
You can file by using the DFS Cyber security Portal. Please use an identifying number when you file. Identifying numbers include either your NY state license number NAIC/NY Entity number, NMLS number or Institution number. Use an identifying number to help ensure that your file is properly matched to either the Covered Entity or licensed person. Please have your license number available when are ready to file. There is a look-up feature on the portal in the event that you are unsure of which number to use.
Please note: If you filed an exemption in 2017 or 2018 they have expired. If you are eligible for an exemption, you must file an initial Notice of Exempt status before the annual due date for your certifications of compliance February 15, 2019.
Cyber security New York exemption:
Before you start a Notice of Exemption, you should find out which exemptions match your situation. The following is a list of explanations for exemptions provided for in 23 NYCRR 500.19:
Apply this exemption if the Covered Entity has less than 10 employees. This includes independent contractors. This is a limited exemption. You must still design and use a cyber security program that meets at least some of the regulatory requirements. These requirements include that you submit an annual Certification of Compliance.
Use this exemption if; as a Covered Entity you have less than $5,000,000 in gross annual income from NY business for each of the last 3 fiscal years. This is a limited exemption. You still must design and use a cyber security program that meets some, not all, of the regulatory requirements. This includes the submission an annual Certification of Compliance.
You can use this exemption if you are a Covered Entity with less than $10,000,000 in total assets at the end of the year. This is a limited exemption, you must still design and implement a cyber security program that meets some but not all the regulatory requirements. This includes submitting an annual Certification of Compliance.
Apply this exemption if you are either an employee, agent, representative or designee of another Covered Entity and use that entity’s cyber security program. When this is the case, you do not need to create your own program. However, you will need to identify the Covered Entity whose program you use to claim this exemption. If you use this exemption, you must be covered by the program of another Covered Entity. If you submit a Notice of Exemption under 500.19(b) you must to provide the name and address of the covered entity that supports the cyber security you are using. Also, you must provide the name of a representative who can confirm the cyber security program you are using.
This exemption applies if you are a Covered Entity that does not use an Information System either directly or indirectly and that does not, and is not required to, own, access, generate, receive or possess Nonpublic Information. This is a limited exemption. You must complete the annual risk assessment. You must also confirm that the company still qualifies for this exemption. There are still some, not all regulatory requirements you need to meet. This includes the submission of an annual Certification of Compliance.
If you want to learn more about Medicare sales, click here