If you have a Life Insurance License in New York State, you are considered a “covered entity” by the New York Department of Financial Services (NYDFS). All covered entities are required to file an Annual Certification of Compliance with the NYDFS certifying, for 2022, you complied with the Cybersecurity requirements set forth in 200 NYCRR 500.
Things to keep in mind:
You must file the Certification of Compliance every year by 4/15 for the prior year.
If you filed for one of the limited exemptions, you do NOT need to refile it on an annual basis. It only needs refiled if you had a change in one of the areas of exemption.
The exemptions are limited in nature, you still must meet and certify the nonexempted items.
These are the items needed for qualifying for a limited exemption:
500.19 (a) (1) Fewer than 10 employees working in NYS
500.19 (a) (2) Less than $5 million in gross annual revenue
500.19 (a) (3) Less than $10 million in year-end total assets
If you qualify for one of the above, you will receive a limited exemption from all the rules set forth in 200 NYCRR 500. Since this is a limited exemption, you still must satisfy and certify the following:
500.2- Cybersecurity Program
500.3- Cybersecurity Policy
500.7- Access Privileges
500.9- Risk Assessment
500.11- Third Party Service Provider
500.13- Limitations on Data Retention
500.17- Notices to Superintendent
The above information is for cybersecurity educational purposes only and should not be construed as legal or compliance advice. Legal and Compliance questions should be directed to the appropriate professionals in those areas.
Source: NYDFS Website
Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.