Skip Ribbon Commands
Skip to main content

Next Important Date

Back to Cybersecurity Page

Most Recent Deadline: March 1, 2019

Back to Cybersecurity Page

March 1, 2019 - Third Party Service Provider Requirements

Under Section 500.11, effective March 1st 2019, all covered entities (agencies and brokerages) will be required to:
  • Create and implement a written third party service provider policy designed to ensure the security of nonpublic information that is accessed by TPSPs (including, but not limited to, technology/software vendors and insurance carriers). The policy must consider, to the extent applicable, the risk posed by the third party, minimum cybersecurity standards to be met by TPSPs, due diligence processes to evaluate the adequacy of TPSPs, and periodic risk assessment of TPSPs.

  • Include in that written third party service provider policy guidelines and/or contractual protections relating to TPSPs, including, to the extent applicable: the TPSPs policies and procedures for access controls; use of encryption; notice to the covered entity of a cyber event; and representations and warranties addressing the TPSPs policies and procedures that relate to the security of the covered entitys own information systems.

  • Per the DFS, due diligence of TPSPs is a two way street in the case of agents/brokers and carriers. Carriers must conduct a risk assessment and due diligence on all of their agents, while at the same time agents must also conduct a risk assessment and due diligence of all carriers whose policies they write.  Read More

Did you miss our Jan.  2019 GEAR UP! webinar on this requirement? Watch the video & review answers to questions that came in.

Having trouble figuring out who qualifies as a third party service provider? Check out this flowchart we've created to help! or, watch this 7-minute video about who is a third party service provider.

For additional info and resources, visit our compliance resource page (login required). 

In case you missed it: Did you meet the February 15, 2019 deadline for refiling a notice of exemption?

January 1, 2019 - February 15, 2019 - Any DFS regulated entity or licensed person that is currently entitled to an exemption must refile an Initial Notice of Exemption prior to filing an annual certification of compliance. Exemptions filed in 2017 and 2018 have expired.  LEARN MORE 

Be sure to carefully check your mail around the new year for the notice. For more information, see the DFS Cybersecurity webpage


In case you missed it: Did you meet the 9/3/18 deadline for creating a data retention policy? If not:
Agencies who qualify for the limited exemption (don't know if you do, check here):
You must establish written policies and procedures for data retention and disposal. Read the guidelines on record retention here

Agencies who do not qualify for the limited exemption:
In addition to data policies, there are other requirements for this deadline. You can find them here