Hot Topic

Cybersecurity

​​​​​​​​​​​​​​ NY CYBERSECURITY REGULATION
Requirements for EVERY Agency & Individual

The NYS Department of Financial Services (DFS) has new cybersecurity rules that every agency and individual must follow.
 Failure to do so may result in fines. 


September 3rd Cybersecurity Deadline: What You Need to Know



The next cybersecurity deadline is 9/3/2018

Agencies who qualify for the limited exemption (don't know if you do, check here):
You must establish written policies and procedures for data retention and disposal. Read the guidelines on record retention here

Agencies who do not qualify for the limited exemption:
In addition to data policies, there are other requirements for this deadline. You can find them here 

Members Only Benefit!  Tips for Creating your Data Retention Policy​

Thanks to the relationship with your state association, Big I members from outside of NY can access and use this document.
How: Click here  (will open in new window); Enter password provided by your state; Click 'download' in top right corner​

Download Here

What do you need to do now? 
Start here. We'll walk you through it.
Individuals

ALL individuals should have filed for exemption 500.19(b) by October 30, 2017 if they are covered by the cybersecurity program of another Covered Entity.

Directions on how to file for individual exemption (pdf)


 

Agencies

|You should have filed your limited exemption
(This was required by October 30, 2017)

Your agency qualifies for a limited exemption if any of the following apply to it:

  • Fewer than 10 employees (including independent contractors)
  • Less than $10 million in year-end total assets 
  • Less than $5 million in gross revenue

We at Big I New York are very proud of the hard work and great success we had in expanding the limited exemption, thus allowing more agencies to be included in it and drastically reducing the hardship it presents.

Note: A limited exemption does not get you completely off the hook, but it drastically reduces the number of required actions.  

File notice of limited exemption with DFS How: Complete online filing

Don't qualify for the limited exemption? Don't worry, we will help you comply. 

2|  Complete the following requirements

All Agencies (including those with limited exemption)


Ag
encies WITHOUT Exemption Must Also

  • Develop an incident response plan
  • Employ cybersecurity personnel

 
Every Year  |  Annual Certification of Compliance (for business entity licenses)

You should have already completed Steps 1 and 2 below before completing this step. You must file your Annual Certification of Compliance no later than February 15 every year. You will file it the same way you filed your limited exemption – online at the DFS website. You will be certifying that you are in compliance with the DFS Cybersecurity Regulation each year.

 

Big I Members Outside NY
Thanks to the relationship with your state association, Big I members from outside of NY can access and use this document.
How: Click here  (will open in new window); Enter password provided by your state; Click 'download' in top right corner


Note - Many agencies would benefit from the guidance of a cybersecurity professional. We connected with providers across NY to learn which areas each can lend expertise to. The result - a grid of providers for you to choose the right fit for your agency.  View the directory