With the annual deadline for New York insurance licensees to certify their compliance with the state’s cybersecurity regulation approaching, it seems the perfect time to address three common misconceptions about a key aspect of the regulation — exemptions.
Myth #1: I’m not a New York resident, so none of this applies to me.
New York’s Cybersecurity Regulation defined a Covered Entity as:
… any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
“Person” refers to both individuals and business entities, in this case. It doesn’t matter if you hold a resident or non-resident insurance license in New York; this regulation applies to you. Note that the regulation also doesn’t specify license class or lines of authority. Whether you’re a producer, an adjuster, a surplus lines broker, a third party administrator, a title agent, etc., you still fall under the regulation.
Myth #2: I’m exempt, so I don’t need to do anything.
Exemptions aren’t self-executing. If you meet the criteria (see Section 500.19), you must still file an exemption with the state. It’s easy to do. You’ll need to create an account on the NY DFS Secure Portal. Once you have your login credentials, sign in and choose the Exemption menu. You’ll then need to select identify who is filing for the exemption and indicate which reason entitles you to the exemption. If you are an individual who is covered by your agency’s or brokerage’s cybersecurity plan, you’ll also need to identify that Covered Entity.
The DFS offers step-by-step instructions on how to file for the various exemptions.
Myth #3: Once I file an exemption, I’m done. I never have to think about this again.
It’s true that exemptions don’t have to be filed annually, but it’s a good idea to check regularly to ensure that you still meet the qualifying criteria. If you don’t, you’ll either need to file an amended exemption citing the applicable criteria or start complying fully with the regulation.
For example, a common reason for needing to file an amended exemption is taking a job with a new employer. Remember that your exemption as an employee identifies whose cybersecurity plan covers you. So if that employer changes, you must update the Covered Entity information. Also, keep in mind that most exemptions are only partial ones. You’ll likely still need to complete certain compliance tasks and file an annual certification.
They’re Not Kidding!
Regardless of how many or how few sections of the regulation apply to you, it’s essential to keep in mind that New York is VERY serious about protecting the financial services industry and the people it serves from cybercrime. A half-hearted effort won’t suffice! That’s one reason why the annual Certification of Compliance is a yes or no question. Either you comply fully with all sections that apply to you or you don’t certify at all.
The DFS and other New York-based organizations, such as ELANY, offer many resources to make cybersecurity easier. But in the end, it’s up to you to take the necessary steps to stay in compliance.