Cybersecurity Compliance Submission Notice: If you are experiencing password login issues when trying to submit your annual cybersecurity filing, visit the Lost Passwords and Locked Accounts Portal page and follow the instructions. You will need a DFS Portal account to submit a cybersecurity filing via the DFS Portal – your LINX username and password will not work to access DFS Portal. The system is currently experiencing a high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your filing, please try again.

On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”). Part 500 was amended for the first time in April 2020 to change the date of the required annual certification filing from February 15 of each year to April 15. 

Since the regulation was adopted, the cybersecurity landscape has changed tremendously as threat actors have become more sophisticated and more prevalent, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate, and additional cybersecurity controls are available to manage cyber risk at reasonable cost. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves. As a result, Part 500 was amended again, effective November 1, 2023.

Notably, DFS-regulated individuals and entities required to comply with the amended Cybersecurity Regulation (referred to below as “Covered Entities”) continue to include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.

This Resource Center is designed to help explain how to comply with the Cybersecurity Regulation. Among other things, it provides links to industry guidance, answers FAQs and provides detailed information on how to submit cybersecurity-related filings, including notifications to DFS regarding compliance, cybersecurity incidents, and exemption status.

This Resource Center is frequently updated, and you may sign up for email updates on important regulatory guidance, cybersecurity alerts, and other information related to cybersecurity in the financial services sector by going to the DFS Email Updates Signup Page and subscribing to Cybersecurity Updates. These emails will come from the email address [email protected].

Questions regarding the Cybersecurity Regulation may be sent to [email protected].

On November 1, 2023, DFS announced amendments to Cybersecurity Regulation, 23 NYCRR Part 500. (See the final adopted regulatory documents on the Regulatory Activity - Financial Services Law page.)

Training Resources

To help regulated entities plan for compliance, the Department has developed Part 500 training resources:

• Download the Cybersecurity Regulation Training Presentation (PDF)
• Watch the Cybersecurity Regulation Training Presentation (Video)
• Download the Requirement Checklist (for Regulated Entities with Limited Exemptions) (PDF)
• View the 'Am I Exempt from DFS's Cybersecurity Regulation?' Flowchart (PDF)

Additional videos, resources, and training opportunities will be posted to this section of the Cybersecurity Resource Center.

Key Compliance Dates

The amended regulation’s new compliance requirements will take effect in phases. Unless otherwise specified, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024. Changes to reporting requirements take effect one month after publication of the amended regulation, or December 1, 2023. For certain other requirements, the regulation provides for up to one year, 18 months, or two years to come into compliance.

The below Cybersecurity Implementation Timelines outline key compliances dates for each of the categories of businesses impacted by the amended regulation:

• Implementation Timeline for Small Businesses
• Implementation Timeline for Class A Businesses
• Implementation Timeline for Covered Entities

Recent Updates (past 6 months)

See all DFS Enforcement Actions

Answers to frequently asked questions concerning the Cybersecurity Regulation are below. Capitalized terms used below have the meanings assigned to them in the definition section of Part 500. “Section” references are to sections of the Cybersecurity Regulation unless otherwise stated. The Department may revise or update the below information from time to time, as appropriate.

500.1 Definitions

(d) Class A Company

(e) Covered Entities

500.2 Cybersecurity Program

500.4 Cybersecurity Governance

500.5 Vulnerability Management

500.9 Risk Assessment

500.11 Third-Party Service Provider Security Policy

500.12 Multi-Factor Authentication

500.17 Notices to Superintendent

500.17(a): Cybersecurity Incidents

500.17(b): Notice of Compliance

500.17(b)(1): Annual Submission of Certification of Material Compliance or Acknowledgment of Noncompliance

500.17(b)(2): Signatories

500.17(b)(3): Documentation

500.19 Exemptions

Covered Entities may not have to comply with some or all of the Cybersecurity Regulation’s requirements if they qualify for an exemption. There are two types of exemptions: full and limited, both of which are in section 500.19. This section first explains what qualifies a Covered Entity for an exemption, then describes the cybersecurity requirements a Covered Entity must comply with if it qualifies for an exemption, and finally provides directions on how to submit notifications to the Department regarding a Covered Entity’s exempt status.

Qualifications for Full Exemptions

Three subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).

To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative, or designee of another DFS-regulated business and all aspects of the Covered Entity’s business must be fully covered by the Cybersecurity Program of the other DFS-regulated business.

To qualify for a 500.19(e) exemption, a Covered Entity must be an inactive individual insurance broker (subject to Insurance Law section 2104) who (1) does not maintain, control or use, even indirectly, any Information Systems and does not have any Nonpublic Information; (2) has not, for anything of value, acted or aided in any manner in soliciting, negotiating, or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year; and (3) does not otherwise qualify as a Covered Entity (for example, does not hold another type of license). For exact language, see 500.19(e).

To qualify for a 500.19(g) exemption, a Covered Entity must not otherwise qualify as a Covered Entity by virtue of another license and must be (1) a charitable annuity society, (2) a risk retention group not chartered in NY, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) an individual mortgage loan originator placed in inactive status under Banking Law §599-i, or (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. For exact language, see 500.19(g).

Qualifications for Limited Exemptions

Three subsections of section 500.19 provide for limited exemptions: 500.19(a), 500.19(c), and 500.19(d).

There are three ways a Covered Entity may qualify for a 500.19(a) limited exemption:

1. A Covered Entity and its Affiliates combined must have fewer than 20 employees and independent contractors (500.19(a)(1));
2. A Covered Entity must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from all of its business operations combined with its Affiliates’ business operations in New York State (500.19(a)(2)); or
3. A Covered Entity must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.

Affiliate, for purposes of the Cybersecurity Regulation and determining whether a Covered Entity qualifies for any of the 500.19(a) exemptions, is defined very broadly as “any person that controls, is controlled by, or is under common control with another person.”  Control here “means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.” (500.1(a))

To qualify for a 500.19(c) limited exemption, a Covered Entity must not directly or indirectly operate, maintain, utilize, or control any Information Systems, and must not be required to, directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information. 

To qualify for a 500.19(d) limited exemption, a Covered Entity must be a captive insurance company that does not and is not required to directly or indirectly control, own, access, generate, receive, or possess Nonpublic Information other than information relating to its corporate parent company or affiliates.

Cybersecurity Requirements for Exempt Covered Entities

If a Covered Entity qualifies for a full exemption, it must submit a Notice of Exemption to DFS. As long as it remains qualified for a full exemption, it does not have to comply with any other section of the Cybersecurity Regulation.

If a Covered Entity qualifies for a Section 500.19(a), (c), or (d) limited exemption, it must submit a Notice of Exemption, comply with some sections of the Cybersecurity Regulation (which sections depend on the type of limited exemption and are listed in the table below), and submit annually a notice regarding the Covered Entity’s compliance with Part 500.

The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(a) exemption.

The below table outlines what sections of the regulation a Covered Entity is exempt from and must comply with if it qualifies for a Section 500.19(c) or (d) exemption.

Submitting Notice of Exemption Regarding Exempt Status

Covered Entities that have determined they qualify for an exemption should submit a Notice of Exemption within 30 days of making that determination. 500.19(f). Some Covered Entities qualify for more than one exemption, and they can indicate that on their Notice of Exemption.

Covered Entities must submit their Notices of Exemption through the DFS Portal. Detailed instructions for making this submission can be found in the Instructions on How to File a Notice of Exemption (PDF).

Amending a Filed Exemption

If a Covered Entity no longer qualifies for an exemption, it should amend or terminate its Notice of Exemption within 30 days. A Covered Entity should amend its Notice of Exemption when its qualifications for an exemption change, but it still qualifies for at least one exemption. Covered Entities must amend their Notices of Exemption through the DFS Portal. Detailed instructions for amending exemption status can be found in the Instructions on How to Amend Previously Filed Notices of Exemptions (PDF).

Terminating a Filed Exemption

A Covered Entity that no longer qualifies for any exemption must terminate their exemption as soon as reasonably possible after they no longer qualify. No matter when the termination is submitted, however, the Covered Entity has 180 days from the date they are no longer qualified to become fully compliant with the Cybersecurity Regulation.  Covered Entities must terminate their Notices of Exemption through the DFS Portal. Detailed instructions for notifying DFS that a Covered Entity no longer qualifies for an exemption can be found in the Instructions on How to Terminate Previously Filed Notices of Exemption (PDF).

Bulk Exemption Submissions

Covered Entities that employ 50 or more individual Covered Entities that qualify for the same exemption may file exemptions on behalf of those employees through the bulk submission process.

Covered Entities that qualify and would like access to use the bulk submission process should email the Department at [email protected] from the email address associated with their DFS Portal account, and the Department will send further instructions. The submitter will need to provide their name, DFS identification number, type of license, and email address for every Covered Entity on whose behalf they are submitting. The Covered Entity using the bulk submission process will be able to add and terminate exemptions as their employees’ employment and exemption status changes.

Covered Entities that have their Notice of Exemption filed as part of a bulk filing will receive an email from DFS confirming the filing. The email will include a receipt number and list the exemption(s) filed. Covered Entities must retain a copy of this receipt number for future reference as it will be the only receipt you will get from DFS regarding the submission.

Please note that Covered Entities are ultimately responsible for ensuring their compliance with Part 500. Therefore, a Covered Entity must ensure that either their employer or they notify the Department of any changes in status.

Submission Confirmation

After each submission is complete, the submitter will receive an email that includes a receipt number. The email receipt is the only confirmation of the submission that the submitter will receive. The receipt number is an important piece of information that should be kept by the Covered Entity. Covered Entities may need their receipt numbers to renew their licenses.

Cybersecurity Compliance Submission Notice: If you are experiencing password login issues when trying to submit your annual cybersecurity filing, visit the Lost Passwords and Locked Accounts Portal page and follow the instructions. You will need a DFS Portal account to submit a cybersecurity filing via the DFS Portal – your LINX username and password will not work to access DFS Portal. The system is currently experiencing a high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your filing, please try again.

Starting in 2024, Covered Entities will continue to be required to submit an annual notice regarding their compliance with Part 500, but will have the choice of submitting either a Certification of Material Compliance or an Acknowledgment of Noncompliance. Section 500.17(b). All Covered Entities that are not exempt from the requirement to comply with 500.17 must file one or the other each year by April 15 regarding their compliance during the previous calendar year. Covered Entities that qualify for a limited exemption pursuant to 500.19(a), (c), or (d) are required to submit one of these annual notifications by April 15 as well, but they only have to certify compliance or acknowledge noncompliance with the sections from which they are not exempt.

Annual notifications regarding compliance for the calendar year 2023 are due by April 15, 2024. They must be signed by the Covered Entity’s highest-ranking executive and its Chief Information Security Officer (“CISO”) or, if the Covered Entity does not have a CISO, the Senior Officer responsible for the cybersecurity program of the Covered Entity. Covered Entities may submit these notifications starting on January 1, 2024.

Covered Entities that have more than one license must file separate annual notifications for each license they hold. Covered Entities must keep all data and documentation supporting their annual notifications for 5 years and provide that information to the Department upon request. 500.17(b)(3).

Certification of Material Compliance

Covered Entities that were materially compliant with all sections of the Cybersecurity Regulation that applied to it during the previous calendar year must submit a Certification of Material Compliance. See instructions for how to submit a Certification of Material Compliance below.

• Certification of Material Compliance for Entities (PDF)
• Certification of Material Compliance for Individual Licensees (PDF)

Acknowledgment of Noncompliance

If a Covered Entity cannot certify that it was in material compliance with the Cybersecurity Regulation for the prior calendar year, it must file a written Acknowledgment of Noncompliance which (1) acknowledges that the Covered Entity did not materially comply with all the requirements applicable to it; (2) identifies all sections of Part 500 that the Covered Entity has not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. 500.17(b). To submit an acknowledgment, please go to the DFS Portal and follow the instructions below.

• Acknowledgement of Noncompliance for Entities (PDF)
• Acknowledgement of Noncompliance for Individual Licensees (PDF)

Note to NY LINX Users: You will need a DFS Portal account to submit cybersecurity filings via the DFS Portal, your LINX username and password will not work to access DFS Portal.

Covered Entities must notify the Department of a Cybersecurity Incident as promptly as possible but in no event later than 72 hours after determining that a Cybersecurity Incident has occurred at the covered entity, its affiliates, or a third-party service provider. 500.17(a).

A Cybersecurity Incident is any act or attempt, whether successful or not, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system that:

• impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;
• has a reasonable likelihood of materially harming any material part of the normal operation(s) if the covered entity; or
• results in the deployment of ransomware within a material part of the covered entity’s information system. 500.1(f) and (g)

Covered Entities must report a Cybersecurity Incident to DFS through the DFS Portal. To ensure that reports are matched to the correct individual or entity, the Portal requires the submitter to use an identifying number. An identifying number can be a NYS License number, NAIC/NY Entity number, NMLS number, or Institution number. The DFS Portal contains a look-up feature for submitters who do not know any of their identifying numbers. To notify DFS of an extortion payment, go to the DFS Portal and follow the Instructions on How to Report a Cybersecurity Incident (PDF).

Note to NY LINX Users: You will need a DFS Portal account to submit cybersecurity filings via the DFS Portal, your LINX username and password will not work to access DFS Portal.

Report an Extortion Payment

Unfortunately, ransomware attacks continue to threaten financial services companies and their customers. DFS, like the FBI and other regulators, recommends against paying ransoms. While Covered Entities are not prohibited from making such payments, as of December 1, 2023, a Covered Entity that has made an extortion payment in connection with a cybersecurity event that occurred on its Information Systems must file a Notice of Extortion Payment within 24 hours of payment. Within 30 days of payment, the Covered Entity will be required to provide the reasons payment was necessary, alternatives to payment that were considered and the diligence, or research, it conducted to find these alternatives. Furthermore, the Covered Entity must describe the diligence it performed to ensure compliance with all applicable rules and regulations including those of the Office of Foreign Assets Control. 500.17(c). To notify DFS of an extortion payment, please go to the DFS Portal and follow the Instructions on How to Report an Extortion Payment (PDF).

Note to NY LINX Users: You will need a DFS Portal account to submit cybersecurity filings via the DFS Portal, your LINX username and password will not work to access DFS Portal.

Submission Confirmation

After each submission is complete, the submitter will receive an email that includes a receipt number. The email receipt is the only confirmation of the submission that the submitter will receive. The receipt number is an important piece of information that should be kept by the Covered Entity. Covered Entities may need their receipt numbers to update DFS regarding a reported Cybersecurity Incident.

To safeguard financial services organizations and the confidential information of New Yorkers, DFS uses a multi-pronged approach to monitor cyber risk. The cyber supervision program supplements traditional examinations with new types of information-gathering and analysis activities intended to create a holistic view of the cybersecurity risk posture of the thousands of New York financial services firms regulated by DFS.

The Department's approach was a first among regulators when it was launched as a pilot in December 2021 and has three key components: 

Regulatory Examinations and Data Analysis

DFS will continue to conduct regular examinations that include a focus on cybersecurity/IT risk and compliance. It will also assess Covered Entities for cybersecurity risk based on their previous examination reports, annual cybersecurity regulation compliance filings, reported incidents, and other regulatory filings.

Cyber Controls Assessment Questionnaires

DFS will periodically ask Covered Entities to complete assessment questionnaires, such as the Cybersecurity and Information Technology Baseline Risk Questionnaire. Such questionnaires will be independent of the examination process and are based on similar assessments used by industry and insurers to assess risk for financial services companies.

External Data Scans and Analysis

To better and faster assess cyber risk facing Covered Entities, DFS uses various sources of information to develop an “outside-in” view of cyber risk of specific regulated entities as well as New York State’s financial services sector overall. Such information may come from information-sharing arrangements with public sector partners and industry organizations. DFS also conducts data gathering and analysis through its dedicated Cyber Intelligence Unit which draws on a mix of sources including DFS data, publicly available information, and commercial scanning and threat analysis capabilities.

Cybersecurity Compliance Submission Notice: If you are experiencing password login issues when trying to submit your annual cybersecurity filing, visit the Lost Passwords and Locked Accounts Portal page and follow the instructions. You will need a DFS Portal account to submit a cybersecurity filing via the DFS Portal – your LINX username and password will not work to access DFS Portal. The system is currently experiencing a high volume of submissions, which may result in system time outs. It this occurs while logging in or submitting your filing, please try again.

This part of the Cybersecurity Resource Center has been developed specifically for DFS-regulated individuals and small businesses. It is intended to provide clear, step-by-step instructions for complying with the Cybersecurity Regulation.

Step 1. Determine whether you need to comply with the Cybersecurity Regulation.

If you have a license issued by DFS or are otherwise regulated by DFS, you must comply with the Cybersecurity Regulation. That is because the Cybersecurity Regulation applies to all individuals and small businesses that are “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under the Banking, Insurance or Financial Services Laws. Section 500.1(e).

Step 2. Determine whether you qualify for any of the exemptions listed in the Cybersecurity Regulation.

Many individual brokers, agents, and adjusters, as well as some small businesses, qualify for an exemption. The exemptions are listed in Section 500.19 and fall into two categories: full and limited.

Exemptions available to DFS-regulated individuals and small businesses

Full Exemptions

Three subsections of 500.19 provide for full exemptions: 500.19(b), 500.19(e), and 500.19(g).

To qualify for a 500.19(b) exemption, a Covered Entity must be an employee, agent, wholly owned subsidiary, representative or designee of another DFS-regulated business and all aspects of the Covered Entity’s business must be fully covered by the Cybersecurity Program of the other DFS-regulated business (referred to as the Covering Entity). Individuals who only work for one company and do not work on any other outside matters typically qualify for this exemption.

To qualify for a 500.19(e) exemption, a Covered Entity must be an inactive individual insurance broker (subject to Insurance Law section 2104) who (1) does not maintain, control or use, even indirectly, any Information Systems and does not have any Nonpublic Information; (2) has not, for anything of value, acted or aided in any manner in soliciting, negotiating or selling any policy or contract or in placing risks or taking out insurance on behalf of another person for at least one year; and (3) does not otherwise qualify as a Covered Entity (for example, does not hold another type of license). For exact language, see 500.19(e).

To qualify for a 500.19(g) exemption, a Covered Entity must not otherwise qualify as a Covered Entity by virtue of another license and must be (1) a charitable annuity society, (2) a risk retention group not chartered in NY, (3) an individual insurance agent placed in inactive status under Insurance Law §2103, (4) an individual mortgage loan originator placed in inactive status under Banking Law §599-i, or (5) an accredited reinsurer, certified reinsurer, or recognized reciprocal jurisdiction reinsurer pursuant to 11 NYCRR Part 125. For exact language, see 500.19(g).

Whether you qualify for one of these exemptions depends on your specific circumstances. DFS cannot make that determination for you.

Limited Exemptions

If you don’t qualify for any of the full exemptions, you may qualify for a limited exemption, which means that, if you qualify, you must submit a Notice of Exemption through the DFS Portal, comply with certain sections of the Cybersecurity Regulation (which we will discuss in Step 4), and submit an annual Certification of Material Compliance or Acknowledgment of Noncompliance.

The following are the most common exemptions for small businesses and individuals: Sections 500.19(a)(1), 500.19(a)(2), and 500.19(a)(3).

To qualify under Section 500.19(a)(1), a business, along with any Affiliates, must have fewer than 20 employees and independent contractors.

To qualify under Section 500.19(a)(2), an individual or business must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from all of its business operations combined with its Affiliates’ business operations in New York State.

To qualify under Section 500.19(a)(3), an individual or business must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.

Affiliate, for purposes of the Cybersecurity Regulation and determining whether any of the 500.19(a) exemptions apply, is defined very broadly as “any person that controls, is controlled by or is under common control with another person.”  Control here “means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.”

Individuals and small businesses may also qualify for the limited exemption set forth in Section 500.19(c) if they (1) do not operate, maintain, use, or control a computer or other device that holds electronic data, including phones; and (2) do not, and are not required to, control, own, access, generate, receive, or possess confidential customer and other sensitive business and private information.

You may qualify for more than one of the limited exemptions listed above. If you do, you should indicate that when you submit your Notice of Exemption.

Whether you qualify for an exemption depends on your specific circumstances. DFS cannot make that determination for you.

If you do NOT qualify for an exemption, you must comply with all sections of the Cybersecurity Regulation and can skip Steps 3 and 4.

Step 3. If you qualify for one or more limited exemptions or the 500.19(b) or 500.19(e) full exemptions, submit a Notice of Exemption. 

To receive the benefits of qualifying for an exemption, you must submit a Notice of Exemption through the DFS Portal (see instructions on setting up a DFS Portal account.) 

Note that if you qualify for a full exemption pursuant to Section 500.19(b), you will need to provide the name of the Covering Entity (the DFS-regulated entity whose cybersecurity program covers all aspects of your work) when submitting your Notice of Exemption. If your business qualifies for the Section 19(b) exemption because it is a wholly owned subsidiary of another DFS-regulated entity, you will need to provide the name of your DFS-regulated parent company whose cybersecurity program covers all aspects of your business’s work. You or your business cannot claim yourself or itself as the Covering Entity or parent company.

Notices of Exemption are good until they are terminated which means you do not need to submit a Notice each year; however, if you qualify for a full exemption pursuant to Sections 500.19(b), (e), or (g), you should review your status every year to determine whether you still qualify for the exemption. If you qualify for a limited exemption pursuant to Sections 500.19(a), (c), or (d), you will be asked whether you still qualify for an exemption when you submit your annual Certification of Material Compliance or Acknowledgment of Noncompliance.

If your qualifications for an exemption have changed (for example, when you stop working for the DFS-regulated company or stop using their cybersecurity program), you are responsible for making sure your exemption is amended or terminated. If your company submitted a Notice of Exemption on your behalf, the company may terminate your exemption, but it is your responsibility to make sure that is done.

• Instructions on How to File a Notice of Exemption (PDF)
• Instructions on How to Amend Previously Filed Notices of Exemptions (PDF)
• Instructions on How to Terminate Previously Filed Notices of Exemption (PDF)

If you qualify for a full exemption and have submitted your Notice of Exemption, you do not need to proceed past this step. However, if you only qualify for one or more limited exemptions pursuant to Section 500.19(a), (c) or (d), you must submit a Notice of Exemption AND proceed to Step 4.

Step 4. If you qualify for one of the limited exemptions, determine which sections of the Cybersecurity Regulation you must comply with.

If you qualify for a Section 500.19(a)(1), (2), or (3) exemption, you are still required to: maintain a cybersecurity program as required in Section 500.2 and cybersecurity policies as required in Section 500.3; limit access privileges as required in Section 500.7; conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to DFS as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

Additionally, starting in November 2024, you will also be required to comply with the MFA requirements in Section 500.12 and provide cybersecurity awareness training pursuant to Section 500.14(a)(3).

If you qualify for a Section 500.19(c) or (d) exemption, you are still required to: conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to the Superintendent as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

Importantly, if you qualify for a limited exemption, you still must submit a Certification of Material Compliance or an Acknowledgment of Noncompliance by April 15 every year pursuant to Section 500.17. However, you only need to certify that you are materially complying with the sections of the Cybersecurity Regulation that are applicable to you or acknowledge your noncompliance with those sections.

Step 5. Take action to comply with the sections of the Cybersecurity Regulation applicable to you.

Once you determine which sections of the Cybersecurity Regulation apply to you (see Step 4), take action to comply. You can use the short descriptions below to prepare a list of the sections that apply to you along with any needed actions.

Section 500.2 – Maintain a cybersecurity program. This section requires you to have a cybersecurity program that enables you or your company to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.  

Section 500.3 – Maintain cybersecurity policies. This section requires you to establish and maintain written cybersecurity policies that essentially comprise the framework for your cybersecurity program. These policies should be created after an assessment of your cybersecurity risks. Those risks include how much data you hold, the types of data you hold, the number of people who can access that data, and other similar factors. DFS partnered with the Global Cyber Alliance (GCA) to develop a set of cybersecurity policy templates  which can provide a helpful starting point for individuals and small businesses.

You only need to establish and maintain policies that are relevant to your business, but you must consider whether you need policies that cover the following topics and controls, all of which are listed in Section 500.3:

• Information security
• Data governance and classification
• Asset inventory and device management 
• Access controls and identity management
• Business continuity and disaster recovery planning and resources
• Systems operations and availability concerns  
• Systems and network security
• Systems and network monitoring
• Systems and application development and quality assurance
• Physical security and environmental controls
• Customer data privacy
• Vendor and third-party provider management
• Risk assessment
• Incident response

As of April 29, 2024, you will also be required to consider whether you need policies that cover the following areas:

• Data retention
• End of life management
• Remote access
• Security awareness and training
• Application security
• Incident notification
• Vulnerability management

Your policies need to be approved by your senior leadership, such as a senior officer or manager or an appropriate committee of your board (if one exists).  

Section 500.7 – Control who can access your computer system and nonpublic information. This section requires you to know who has access to the confidential customer and business information held by your business AND to limit that access to people who need it for their job. This section also requires you to periodically review who has and needs such access.

As of May 1, 2025, you must also impose limits with respect to privileged accounts, only allow secure connections where devices can be remotely controlled, promptly terminate access when employees leave, and have a written password policy that meets industry standards, among other things.

Section 500.9 – Conduct risk assessments. You must base your cybersecurity program on the identification, evaluation, and prioritization of cybersecurity risks to your business operations, including but not limited to risks to your Information Systems, the Nonpublic Information maintained on those systems, and your customers. You must conduct periodic risk assessments in accordance with written policies and procedures which have to include: the criteria you will use to evaluate and categorize identified cybersecurity risks and threats;  the criteria you will use to assess the confidentiality, integrity, security, and availability of your Information Systems and the Nonpublic Information maintained on them; and requirements that describe how identified risks will be controlled, minimized, or accepted and how your cybersecurity program will address those risks.  These assessments must be reviewed and updated at least annually and when any changes to your business or technology materially impacts your cyber risk.

Section 500.11 – Maintain a policy regarding the use of third-party service providers. You must have written policies and procedures designed to ensure the security of the confidential customer and sensitive business information that is accessible to, or held by, third parties. A third party, for purposes of the Cybersecurity Regulation, is an individual or organization that provides services to you, has access to your confidential customer and other sensitive business information, and is not affiliated with you or your company. Law firms, internet hosting companies, and electronic storage providers are examples of third-party service providers.

Section 500.13 – Limit the data you keep. You must not keep confidential customer and sensitive business information any longer than it is needed for business purposes. A legitimate business purpose includes anything you are required to retain by law or regulation.

As of November 1, 2025, you will also need to have policies in place to implement and maintain an up-to-date asset inventory covering your information systems. 

Section 500.17 – The following are required notifications to DFS:

• Annual Compliance Submissions – Submit either a Certification of Material Compliance or an Acknowledgment of Noncompliance each year by April 15th regarding your compliance during the previous calendar year.
  • If you were materially compliant with all sections of the Cybersecurity Regulation that applied to you during the previous calendar year, submit a Certification of Material Compliance.
  • If you cannot certify that you were in material compliance with the sections of the  Cybersecurity Regulation that were applicable to you during the prior calendar year, you must submit an Acknowledgment of Noncompliance which (1) acknowledges that you did not materially comply with all the requirements applicable to you; (2) identifies all sections of the Cybersecurity Regulation that you have not materially complied with; (3) describes the nature and extent of the noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed.
• Cybersecurity Incident Notifications – Notify DFS within 72 hours after you determine that you experienced a Cybersecurity Incident, which includes acts or attempts to gain unauthorized access to, disrupt, or misuse your Information Systems or the Nonpublic Information stored on those Information Systems that:
  • impacted you and required you to notify another government body, self-regulatory agency or any other supervisory body; 
  • has a reasonable likelihood of materially harming any material part of your normal operations; or
  • resulted in the deployment of ransomware within a material part of your Information Systems.
• Extortion Payment Notifications – If you make an extortion payment in connection with a Cybersecurity Event that occurred on your Information Systems, you must notify DFS within 24 hours of payment. Within 30 days of payment, you must provide the reasons payment was necessary, alternatives to payment that were considered and the diligence, or research, you conducted to find these alternatives. You must also describe the diligence you performed to ensure compliance with all applicable rules and regulations including those of the Office of Foreign Assets Control.  

If you qualify for a Section 500.19(a) limited exemption, as of November 1, 2024, you will also need to comply with two other Sections of the Cybersecurity Regulation: Section 500.12 and Section 500.14(a)(3).

Section 500.12 – Use multi-factor authentication (“MFA”) for any remote access you allow into your information systems, or to third-party applications where Nonpublic Information is accessible (including any cloud applications), or to privileged accounts. If – and only if – you have a CISO, you may be able to use reasonably equivalent or more secure compensating controls as long as the CISO approves and reviews the controls to ensure their reasonable equivalence at least annually. 

Section 500.14(a)(3) – Provide cybersecurity awareness training that includes social engineering for all personnel at least annually.

If you do not qualify for any exemption, then you must comply with all sections of the Cybersecurity Regulation. The above list does NOT include a discussion of all of the sections that are applicable to you if you don’t qualify for an exemption. 

Step 6. If you are complying with all of the sections of the Cybersecurity Regulation applicable to you, submit a Certification of Material Compliance annually by April 15.  If not, submit an Acknowledgment of Noncompliance by April 15.

If you qualify for an exemption and are in material compliance with the sections of the Cybersecurity Regulation that are applicable to you, submit a Certification of Material Compliance by April 15 of each year through the DFS Portal. 

If you cannot certify that you were in material compliance with the Cybersecurity Regulation for the prior calendar year, you must submit a written Acknowledgment of Noncompliance which (1) acknowledges that you did not materially comply with all the requirements applicable to you; (2) identifies all sections of Part 500 that you have not materially complied with; (3) describes the nature and extent of such noncompliance; and (4) provides a remediation timeline or confirmation that remediation has been completed. See Section 500.17(b).

If you do not qualify for an exemption, submit a Certification of Material Compliance or an Acknowledgment of Noncompliance by April 15 of each year through the DFS Portal. 

Answers to Questions Frequently Asked by Individuals and Small Businesses

Questions regarding DFS Portal submissions (Section 500.17)

Questions regarding filing annual notifications regarding compliance (Certifications of Material Compliance and Acknowledgements of Noncompliance) (Section 500.17(b))

Questions About Limited Exemptions (500.19(a), (c), and (d))

Questions about full exemptions (Section 500.19(b))

DISCLAIMER: This part is explanatory and provided for informational purposes only. In the event of an inconsistency between this part and the Cybersecurity Regulation, the Cybersecurity Regulation will prevail.

Tools for Small Businesses

As doing business online becomes indispensable, it is essential that small businesses protect themselves and their customers from cybercrime. However, cybersecurity can be especially challenging for small businesses.

The Department is committed to supporting small businesses in this regard. To help improve their cybersecurity, DFS has partnered with the Global Cyber Alliance (GCA) to highlight the availability of free cybersecurity resources. GCA has created a Cybersecurity Toolkit for Small Business that contains a set of free tools, guidance, resources, and training for small businesses. It is targeted to small businesses that do not have a dedicated cybersecurity staff.

Because governance is critical to effective cybersecurity, DFS also partnered with GCA to develop sample cybersecurity policies. These policies are designed to help small businesses install the governance and procedures necessary for effective cybersecurity. The sample policies provide a helpful starting point for all small businesses.

The sample policies include:

• Cybersecurity Policy
• Access Control Policy
• Asset Inventory & Device Management Policy
• Data Classification Policy
• Physical & Environmental Security Policy
• Risk Assessment Policy
• System & Network Security Policy
• Third Party Service Provider Policy

All cybersecurity policies created by a business should be tailored to the business’s specific needs, risks, resources, and structure. Some businesses may require additional actions beyond those suggested in the sample policies; likewise, not every action suggested will be required for every business. Policies based only on the samples therefore may not constitute full compliance with state and federal laws and regulations, including the Cybersecurity Regulation. Best practices can also change over time.

Businesses should review their policies for accuracy, completeness, and applicability, and update them as needed based on their risk assessments.

More guidance for small businesses can be found in our Information for Small Businesses section.

Other small business resources

• Department of Homeland Security, Cybersecurity and Infrastructure Agency (CISA)
• Small Business Administration (SBA)
• Cyber Readiness Institute
• Cybercrime Support Network

Materials in this section were on our Resource Center previously. Given the evolving cybersecurity landscape, they have been replaced with materials set forth in the other sections of this Resource Center. Everything currently required of Covered Entities can be found in the sections above and the materials in the other sections supersede any conflicting material found below.

• May 24, 2022: Spotlight on Small Business: DFS and the Global Cyber Alliance Share Achievable Cybersecurity Controls for Smaller Organizations
  • Introductory Remarks and NYS Legislators Welcome Small Businesses
  • Presentation on Free Cybersecurity Tools for Small Businesses: Cybersecurity Toolkit
  • Presentation on Real World Applications: Responding to Common Cyber Scenario
  • Closing Remarks
• April 26, 2022: The Human Factor: Leadership, Governance, and Diversity in Cybersecurity
  • Introductory Remarks and Panel on Increasing Diversity in the Cybersecurity Industry
  • Use of Emergent Blockchain Analytics Capabilities to Combat Ransomware and Other Illicit Activity
  • Panel on Leadership and Governance in Cybersecurity and Closing Remarks
• March 29, 2022: The Unrelenting Cybersecurity Battle: 5 Years of Evolving Threats and Control
  • Introductory Remarks
  • Panel on the Future of Cybersecurity: DFS and Beyond
  • Presentation on Modernizing Cybersecurity Supervision
  • Panel on the Key Cyber Risks of 2022
• December 10, 2014: Industry Letter Regarding New Cyber Security Examination Process