DFS has issued, without announcement or public notice, an extension of the filing deadline until October 30. The language, posted quietly on the DFS web site, is a bit unclear and may create more confusion than previously existed:

The Department has extended the initial period for making the filing of the Notice of Exemption required by 23 NYCRR 500.19(e) until October 30, 2017. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) before October 1, 2017, are now required to file a Notice of Exemption on or prior to this date.

NAIFA-NYS – which has been actively speaking out against provisions of the regulation since it was first released – will be seeking immediate clarification from DFS and will send you further guidance as soon as available.

The Department of Financial Services (DFS) cyber-security regulation requires all insurance licensees in New York to

(1) certify that they have a cyber-security program that complies with the regulation

OR

(2) file for an online exemption

To file for an exemption, if you qualify for one:

– go to www.dfs.ny.gov

– click on the orange “CYBERSECURITY REGULATIONS” box to the right

– on the new page, click on the orange “CYBERSECURITY FILING” box

– click “Create Account” (if you don’t already have one) and complete the required info

– on the next page, click on “Submit Cybersecurity Notice of Exemption”

– complete the form to provide your name/ID info, reason(s) for exemption, and affirmation of authority

– click “Submit”

______________________________________________________________________________

REASONS FOR EXEMPTION

Covered entities can receive a limited exemption if they have:

– fewer than 10 employees, including independent contractors

OR

– less than $5,000,000 in gross annual revenue in each of the last three fiscal years

OR

– less than $10,000,000 in year-end total assets (calculated in accordance with generally accepted accounting principles, including assets of all Affiliates)

_______________________________________________________________________________

IMPORTANT NOTE

An exemption will NOT exclude you from all of the cyber reg. requirements.

You still will need to:

establish a cybersecurity program and written policy (including limited user access privileges, periodic risk assessments, third-party service provider supervision, and secure disposal of no-longer-needed data) and annually certify to DFS that you still qualify for the exemption.

CLICK HERE FOR DFS FREQUENTLY ASKED QUESTIONS REGARDING THE REGULATION.

Contact Peter Molinaro, NAIFA-NYS General Counsel, at pmolinaro@naifanys.org or at 518-426-3800 with questions.