Cyber

Category: Cyber

Feb 11

Another Resource To Help with Cyber Reg Compliance

Timothy Dodge on 2/11/2025 3:30 PM

We are pleased to announce the creation of another new resource to help independent insurance agencies comply with the New York financial services cybersecurity regulation. The new tool helps agencies that qualify for the limited exemption identify the requirements that apply to them. It also informs the agency as to which filing it must submit before the April 15 deadline.

Section 500.17(b) of the regulation requires all "covered entities" (New York licensed and chartered companies in the banking, financial services, and insurance industries) to annually submit either a Certification of Material Compliance or an Acknowledgment of Non-Compliance regarding the prior calendar year. The entity must complete and submit the appropriate form on the New York State Department of Financial Services (DFS) website annually by April 15.

This requirement applies to the business entity only; it does not apply to licensed employees of an agency.

Our new resource provides a checklist of the requirements that apply to limited exempt agencies. The list is in the form of several questions for which the answers are either "yes" or "no." If the head of IT for your agency (and that person may well be the agency principal) can truthfully answer "yes" to all the questions, the agency should submit the Certification of Material Compliance.

On the other hand, if the truthful answer to one or more questions is "no," the agency should complete the Acknowledgement of Non-Compliance.

The checklist is an exclusive benefit for Big I New York members. You can find it on the Filing Instructions page in the Cybersecurity section of our website. Because the Cybersecurity section is a benefit that our members pay for, users must log in to the site with their email address and password to access it.

Other resources to help you complete the filing include:

Please be aware that neither the agency nor its licensed employees are required to resubmit the Notice of Exemption on the DFS cyber portal unless their circumstances have changed. If nothing has changed, it is unnecessary to complete and submit this form again.

0 Comment(s)

Jan 30

New Resource Helps You Comply With NY Cyber Reg

Timothy Dodge on 1/30/2025 1:38 PM

Big I New York has unveiled a new resource to help agencies comply with part of the New York financial services cybersecurity regulation. Specifically, it will make it easier for you to comply with the requirements regarding third-party service providers. You now have one-stop access to information about the cybersecurity practices of large publicly traded insurance carrier groups.

The regulation's Section 500.11 requires all covered entities, including insurance agencies and brokers of any size, to “implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers." (See this flowchart to determine who is a third-party service provider for your agency.) The policies and procedures, which the agency must base on its annual or more frequent risk assessments, must address among other things, “due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers …"

If a third-party service provider has access to your computer systems and data, the regulation requires you to investigate what they're doing to prevent data breaches. (I recorded a 20-minute video about this requirement in 2019.) The most common way entities perform this due diligence is to send third parties a questionnaire like the one we created for you to use. However, as I said in the video, the questionnaire is one way to perform the due diligence; it is not the only way. The text I quoted above does not say anything about a questionnaire. It says the policies and procedures must address “due diligence" without telling you how to do it.

Section 500.11 requires each covered entity to establish “minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity." What those minimum practices must be are up to you; the regulation does not set them. For example, you could say that every third-party service provider must meet at least the requirements of the New York regulation.

I've said it many times: The good thing about this regulation is it gives entities a lot of leeway on how to comply. The bad thing is it gives entities a lot of leeway on how to comply. You must figure out what works best for you.

The New York State Department of Financial Services (DFS) has said that an insurance agency is a third-party service provider to a carrier, and a carrier is a third-party service provider to an agency. This means the agency must perform due diligence on its carriers. Getting a response from a large national carrier to a questionnaire may be futile. Our new resource makes that unnecessary.

U.S. Securities and Exchange Commission rules require publicly traded companies to report on the cybersecurity programs as part of their annual 10-K reports. The new list posted in the Cybersecurity section of our website links to those sections of the 10-K reports for thirteen carrier groups, including Travelers, The Hartford, AIG, Erie, Progressive, and others that many Big I New York members represent.

After you've decided what your minimum requirements are, download the report for the carrier group you're investigating, compare the contents of that report to your requirements, and decide whether the carrier meets them. If they do not, you then must decide whether to continue doing business with them. The regulation does not require you to stop doing business with them. However, if they ever suffer a breach that affects you or your clients, you should be able to justify a decision to do business with them to the DFS.

Companies typically make their annual 10-K reports from late January to late February. The links on the list right now are to the year-end 2023 reports. We plan to update the links in March after they've made the 2024 reports. We encourage you to save yourselves some work and use this information as part of your compliance efforts.

You'll find links to the list on the main page at www.biginy.org/cyber and on the Compliance Resources page.

0 Comment(s)

Jan 10

NY Cybersecurity Regulation: What Your Agency Needs To Do

Timothy Dodge on 1/10/2025 11:56 AM

January 2025 has brought with it fresh batches of lake effect snow and a new cybersecurity regulation compliance filing season. Sometime between now and April 15, each agency must log into the NYS Department of Financial Services (DFS) cyber portal and complete and submit one of two forms:

Certification of Material Compliance (if the agency was in material compliance with all sections of the regulation that applied to it in 2024.)
Acknowledgement of Non-Compliance (if the agency was not in material compliance with all sections that applied to it in 2024.)

In November 2023, DFS adopted amendments to the regulation that implemented a number of changes that are being phased in between Nov. 1, 2023 and Nov. 1, 2025. The bulk of these changes impacted larger entities that do not qualify for the limited exemption. More than 90% of Big I New York members were not impacted by those changes. However, there are some requirements that even small agencies had to meet starting in 2024, with others to follow this year. The following items apply to all agencies:

2024 Changes

Risk assessments must now be done annually.
The agency's senior officer or its governing body (if it has one) must review and approve the written cybersecurity policies and procedures annually.
Cybersecurity awareness training, including training on social engineering attacks, must be provided to employees annually.
Multi-factor authentication (MFA) must be implemented for situations where agency staff access the agency's computer system remotely (from home, cars, restaurants, etc.)

2025 Changes

Implement restrictions on system administrator accounts (effective May 1.)
Implement written policies and procedures for producing and maintaining an asset inventory of the agency's systems (workstations, mobile devices, phones, printers, etc.) (effective Nov. 1.)

Here are answers to some questions you might have:

Do I have to file for both the agency and all my licensed employees?

No. Your licensed employees should have long ago submitted Notices of Exemption to the department indicating that they are covered by your cybersecurity program. That makes them exempt from having to complete and submit these forms.

Is this something new?

No. The first Certification of Compliance was due by February 15, 2018. In 2020, the department pushed the filing deadline back to April 15 (it was actually later that year because of the pandemic, but it is now permanently April 15.) The Acknowledgment of Non-Compliance requirement took effect at the end of 2023. DFS expected entities who may have been out of compliance to complete and submit that form last year.

How do I know what sections of the regulation apply to me?

If your agency is large enough to not qualify for an exemption, you must comply with all of it. More than 90% of Big I New York members qualify for the limited exemption, and they must comply with only some sections. You can find a list of those sections in our post of Dec. 4, 2023.

What do I have to do to comply?

We have a comprehensive Cybersecurity section on our website with plenty of content to help an agency comply. The most important parts of that section are the Filing Instructions and Compliance Resources pages. Other pages provide links to the relevant laws in other states, vendors who can assist you, and checklists.

Can you help me complete the filing?

We encourage you to watch the recording of a webinar Tim Dodge presented last April in which he went step-by-step through the process. Dozens of members attended that webinar and completed their filings in real time. The procedure has not changed since then, so it should be a useful aid for you.

Members who wish to have Big I New York staff members provide one-on-one assistance with the filing may obtain that assistance, but there is an additional monetary charge.

Why is the State of New York doing this to me?

Section 500.0 of the regulation states in part, “Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. … Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities."

Why are insurance agencies being singled out?

They're not. The requirements of this regulation apply to every New York licensed or chartered person or entity in the financial services industry. That includes agencies, carriers, banks, credit unions, investment companies, and so on. It also applies to non-residents who hold New York licenses or charters.

Do other states require this?

New York was the first state to adopt a cybersecurity regulation for financial services, but at least 22 other states (Connecticut among them) have enacted insurance data security laws based on a model law published by the National Association of Insurance Commissioners (NAIC.) To our knowledge, however, New York is the only state that requires insurance producers to submit annual compliance filings.

Where can I find more information?

Three excellent resources are:

Big I NY Cybersecurity Resources

Big I NY Newsfeed – Cyber section

NYS DFS Cybersecurity Resources

For answers you can't find there, contact Tim Dodge at 800-962-7950 extension 229 or at tdodge@biginy.org.

0 Comment(s)

Nov 05

DFS: Beware Remote Workers With North Korean Ties

Timothy Dodge on 11/5/2024 4:14 PM

The New York State Department of Financial Services (DFS) has cautioned the businesses it regulates that some remote technology workers may be secretly acting on behalf of the North Korean government. DFS issued the alert in a November 1 letter. Big I New York members who hire virtual assistants or other remote workers should take precautions to avoid hiring one of these individuals.

According to the letter, information technology (IT) workers operating on behalf of North Korea have used several tactics to get jobs with U.S. companies. These include posing as individuals from the U.S. or other countries, using false or stolen identities, or buying identities from U.S. based individuals.

The individuals often use virtual private networks (VPNs) to make it appear that they reside in the U.S. when they apply for remote jobs. Notably, they may also refuse to join in-person or video conference meetings. They may also have their new employer's computer equipment shipped to alternative locations just before they start work. This permits U.S. based co-conspirators to access the equipment.

DFS said that the Federal Bureau of Investigation (FBI) and the U.S. Department of State have issued advisories regarding these threats.

The letter advised regulated entities to:

Make senior management, IT personnel, and human resources departments aware that this could happen.
Conduct a thorough background check during the hiring process, possibly including live or video interviews.
Track the locations of company-owned laptops and cellphones to ensure that they are delivered and remain at the residence address the employee provided.
Limit remote employees' access to systems.
Notify law enforcement and regulators promptly if they conclude that they've been victimized by one of these schemes.

The complete text of the letter, including links to the FBI and State Department alerts and the web address for reporting incidents, is on the DFS website.

0 Comment(s)

Oct 31

DFS Letter: Beware of Cyber Risks From A.I.

Timothy Dodge on 10/31/2024 3:04 PM

The New York State Department of Financial Services (DFS) has cautioned the entities it regulates to be alert to cybersecurity risks resulting from using artificial intelligence (AI) technology. The department also described steps for reducing those risks.

DFS responded in the October 16 industry letter to questions about the cyber risks from AI and what to do about them. The letter did not add new requirements to those in the department's cybersecurity regulation. Instead, it explained how entities should use the regulation's provisions to assess and address AI risks.

THE RISKS: WHY YOU SHOULD BE AFRAID

Among the risks the department highlighted were:

Social Engineering: “Social engineering" is a cyber attack in which the attacker uses human interaction to obtain an organization's information or to compromise its information or computer systems. For example, a hacker may convincingly impersonate a manager within an organization. This person then convinces an employee to transfer funds to an illegitimate account.

According to the letter, AI has made these attacks more effective. It said, “Threat actors are increasingly using AI to create realistic and interactive" so-called “deepfakes" (audio, video, and text communications that appear to be from an internal manager but are not.) Hackers deliver these communications by email, phone, text message, videoconferencing, and postings online. “For example," DFS said, “in February 2024, a Hong Kong finance worker was tricked into transferring $25 million to threat actors after they set up a video call in which every other person participating, including the Chief Finance Officer, was a video deepfake."

Enhanced Cyber Attacks: AI can scan and analyze large volumes of data much faster than a human can. This enables hackers to use it to find and exploit security holes much more quickly. Once inside, they can use it to figure out how to best deploy malware in a network and steal information. They can also use it to quickly develop new versions of malware and ransomware that can elude security controls.

Lastly, AI tools enable hackers who lack coding chops to develop and launch their own attacks. “This lower barrier to entry for threat actors, in conjunction with AI-enabled deployment speed," the letter said, “has the potential to increase the number and severity of cyberattacks, especially in the financial services sector, where the maintenance of highly sensitive NPI (non-public information) creates a particularly attractive and lucrative target for threat actors."

Entities' Use of AI Tools: Products that use AI rely on collecting and processing large amounts of data. Some of this data will be NPI. A summary of the New York cybersecurity regulation is, “What you collect, you have to protect." Therefore, entities using AI products may have to protect much more information than they might have otherwise. That information could include biometric information (facial characteristics, fingerprints, etc.) Multi-factor authentication (MFA) systems use this information to verify a network user's identity. Hackers who steal it can use it to log into a network by impersonating a trusted user.

Third Parties: Third party service providers and vendors may either provide data to the entity or have access to the entity's NPI. If they suffer cyber incidents, the entity's NPI and systems may be vulnerable to attack.

THE CONTROLS: WHAT YOU CAN DO ABOUT THE RISKS

The letter listed several procedures the regulation already requires that an entity can use to reduce the risks.

Include the potential for deepfakes and other AI threats when performing the annual risk assessment.
Design the risk assessment to address:

The entity's use of AI.
AI technologies its third-party service providers and vendors use.
Any vulnerabilities that might result from AI technologies and that could threaten the computer network and NPI.

Update the entity's cybersecurity policies and procedures to reflect the threats uncovered during the assessment.
Larger entities who do not qualify for a limited exemption must create and implement plans for investigating and mitigating cyber incidents. They must also have plans for incident response, business continuity, and disaster recovery. Limited exempt entities might want to give some thought to these subjects even though the regulation does not require them to create formal plans. Planning ahead means less flailing if an incident occurs.
Create a workplace culture that includes cybersecurity awareness.
When performing due diligence on third-party service providers, consider their uses of AI; the threats that could pose to them; and how cyber incidents they experience could impact your entity.
Implement strong controls for access to the entity's network, starting with MFA. The regulation requires all entities to implement MFA by November 1, 2024. They should also include annual reviews of which network users have access to NPI and whether they still need it.
Annual cybersecurity awareness training for all employees, including training on the risks of social engineering attacks. The regulation requires all entities to start doing this by November 1, 2024.
Larger entities must have formal system monitoring tools in place. Limited exempt agencies should at least be alert to signs of unusual activity. They should also watch for employees using the system for purposes the agency has not approved.
Place sensible limits on the amount of NPI the agency collects and retains. These will vary by the business needs of the agency. What you collect, you must protect, so do not retain more data than you want to protect.

AI technologies are here to stay, and their use will only grow with time. If your agency has not yet registered with technology consulting firm Catalyit, we urge you to do so now. They presented a series of webinars last spring that explain how using AI can benefit your business. There are plenty of benefits to using these technologies, but as with any other type of operation, there are risks. The DFS published this letter to make you aware of the risks and suggest ways to control them while you reap the benefits.

0 Comment(s)

Oct 03

DFS Cybersecurity Alert: Hackers Infiltrating Help Desks

Timothy Dodge on 10/3/2024 5:31 PM

The New York State Department of Financial Services (DFS) last week warned all financial services companies of a new cybersecurity threat targeting information technology (IT) help desks and service centers. A letter dated September 27, 2024 stated, "DFS has seen evidence that threat actors are targeting IT help desks and call centers using, among other tactics, voice-altering technology in conjunction with information obtained on the internet about the identities of personnel to convince help desks to reset passwords and divert multi-factor authentication (MFA) to new devices."

DFS urged all entities it regulates to alert help desk and service center staff to be diligent in authenticating the identities of anyone who requests changes to authentication factors. While most Big I New York members do not have help desks, many do use insurance carrier call centers. You may find that the call centers' staff will take more steps to verify your identity when you contact them than they did before. This will likely be because of this new DFS alert. You should anticipate this when contacting them.

0 Comment(s)

Oct 03

Deadline For New Cybersecurity Reg Requirements is Nov. 1

Timothy Dodge on 10/3/2024 5:07 PM

We want to remind all Big I New York members of the upcoming deadline for complying with new cybersecurity requirements. The New York State Department of Financial Services (DFS) last November 1 amended its Cybersecurity Requirements for Financial Services Companies regulation. That amendment included several changes. Some of the changes took effect immediately. The deadlines for others were this past spring, with the deadlines for the rest next month and next year.

Many of the regulation's 24 sections do not apply to businesses that qualify for the “limited exemption." A business qualifies for the limited exemption if any one of the following three things are true about that business:

The business and its affiliates have fewer than 20 employees and independent contractors.
The business and its affiliates generated less than $7.5 million in gross annual revenue in each of the last three fiscal years from all operations (count only the New York State operations of affiliates.)
The business and its affiliates have less than $15 million in year-end total assets.

Most Big I New York members qualify for the limited exemption.

DFS sent an email to all New York licensed insurance professionals earlier this week reminding them of these deadlines. However, only two apply to all “covered entities" (the regulation's term for anyone with a New York banking, financial services, or insurance charter or license.) The other three apply only to businesses that do not qualify for the limited exemption and so-called “Class A companies" (very large companies with revenues in the tens of millions and more than 2,000 employees.)

The two November 1 deadlines that apply to all covered entities are:

1. Use multi-factor authentication (MFA) for any individual accessing the entity's information systems. However, agencies that qualify for the limited exemption must use it only for:

Remote access to the agency's computer systems.
Remote access to third-party applications from which individuals can access non-public information.
All “privileged accounts" (essentially system administrator accounts) other than service accounts that prohibit interactive login.

If your agency has not already implemented MFA and you need help, agency technology consulting firm Catalyit offers these resources:

Catalyit Live: How to Set Up MFA in Your Agency (webinar, Oct. 11, 2024, 11:00 am EDT)
Implementing Multi-Factor Authentication for Your Business

Membership in Catalyit is free for Big I New York members, so we encourage all members to register.

2. Provide, at least annually, cybersecurity awareness training that includes social engineering for all personnel. The training should be updated as needed to reflect the risks the agency has identified during its annual cybersecurity risk assessment.

The Compliance Resources page in the Cybersecurity section of our website lists these potential providers of cybersecurity awareness training.

All covered entities, including agencies that qualify for the limited exemption, must comply with these requirements by November 1, 2024.

The deadlines that apply only to larger organizations involve cybersecurity reports to an entity's senior governing body, changes to encryption requirements, and changes to incident response and business continuity management requirements. These requirements do not apply to agencies that qualify for the limited exemption.

For more information:

www.biginy.org/cyber
New York's Cyber Regulation is Changing. Here's What it Means for You. (Nov. 2, 2023)
Gear Up Webinar on the 2023 Amendments to the Regulation (Nov. 29, 2023)
Limited Exempt Agencies: Here Are the Sections of the Cyber Reg You Must Comply With (Dec. 4, 2023)

0 Comment(s)

Aug 28

Do You Have To Report A Wholesaler's Cyber Incident?

Timothy Dodge on 8/28/2024 11:58 AM

A South Carolina based wholesale insurance brokerage reported last week that they had suffered an undescribed cybersecurity incident. It closed the wholesaler for a substantial part of the week.

Some Big I New York members have asked whether the New York financial services cybersecurity regulation obligates them to notify the state Department of Financial Services (DFS) about this incident. If your agency does business with that wholesaler, you may have the same question.

Based on the information we have received and what the wholesaler has said on its website, we do not believe New York agencies have an obligation under the regulation to report this incident to the DFS. The wholesaler does, but the retail agency does not.

Section 500.17 of the regulation states:

(a) Notice of cybersecurity incident.

(1) Each covered entity shall notify the superintendent electronically in the form set forth on the department's website as promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.

(2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to update the superintendent with material changes or new information previously unavailable.

The definitions in Section 500.1 state:

For purposes of this Part only, the following definitions shall apply:

(a) Affiliate means any person that controls, is controlled by or is under common control with another person. For purposes of this subdivision, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise. …

(f) Cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.

(g) Cybersecurity incident means a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:

(1) impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency or any other supervisory body;

(2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or

(3) results in the deployment of ransomware within a material part of the covered entity's information systems.

(m) Person means any individual or entity, including but not limited to any partnership, corporation, branch, agency or association. …

(s) Third-party service provider(s) means a person that:

(1) is not an affiliate of the covered entity;

(2) is not a governmental entity;

(3) provides services to the covered entity; and

(4) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.

The incident at this wholesaler was clearly a “cybersecurity event" because it was a successful act to disrupt an information system. Mission accomplished. In addition, it was a cybersecurity event that occurred at a “third-party service provider" because the wholesaler does not have an ownership relationship with retail agencies, isn't a governmental entity, provides services to the retailers, and (I assume) has access to the retailer's non-public information. That meets the first part of the definition of “cybersecurity incident."

However, the incident does not fit the three other parts of the definition:

It impacts the retail agency but there is no indication (yet) that a report to law enforcement is necessary – the wholesaler said, “To date, there is no evidence that any data has been misused in any way." If the retailers' clients' private information has not been exposed, no report to law enforcement is necessary.
It does not appear to have a reasonable likelihood of materially harming any material part of the retailer's normal operations, since nothing has been reported about the incident shutting down retailers.
No ransomware has been deployed in retailers' computer systems.

Since the incident does not meet any of those three criteria, it is not a “cybersecurity incident." A cybersecurity event that is not a cybersecurity incident does not require a notice to DFS. That could change, especially if the wholesaler does eventually report that private data was exposed and they had to notify the police. Any future communications from them on this will be important.

0 Comment(s)

May 17

NYS DFS Offers New Cyber Program Template

Timothy Dodge on 5/17/2024 10:50 AM

The New York State Department of Financial Services (DFS) this week unveiled a new model Cybersecurity Program Template for use by small businesses including insurance agencies. All independent insurance agencies should consider using this template as the model for their cybersecurity programs. New York's financial services cybersecurity regulation requires all agencies to implement cybersecurity programs.

In a guidance letter dated May 13, 2024, the department stated that the model "prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the Cybersecurity Regulation." It also includes frameworks for developing and tracking:

Asset inventories
Risk assessments
Multi-factor authentication exceptions, and
Third-party service providers.

The template is available for you to download from the DFS website and at www.biginy.org/cyber.

0 Comment(s)

Feb 16

The Cybersecurity Certification of Compliance Has Changed

Timothy Dodge on 2/16/2024 4:30 PM

The DFS regulated entities in the banking, financial services, and insurance sectors must complete the compliance filings that the financial services cybersecurity regulation requires by April 15. This year they will notice a change..

The DFS regulates entities in the banking, financial services, and insurance sectors. These entities must submit a statement by April 15 each year about the state of their compliance with the regulation's requirements. Before this year, they had to submit a statement that they were complying with them during the prior calendar year.

An amendment to the regulation that took effect last November 1 expanded that requirement. Entities will have to complete and submit one of two forms:

Your agency will complete and submit the first one if it “materially complied" with the regulation's requirements during the prior calendar year. The agency must base this on records that support the conclusion.

The agency must submit the second one If it did not meet the requirements in one or more sections of the regulation that apply to it. The person completing this form must:

Acknowledge that the agency did not “materially comply" with all the regulation's requirements during the prior year.
Identify the sections the agency did not comply with.
Describe what the agency failed to do and how big the failure was.
Either affirm that the agency has since met the requirements or provide a timeline for eventual compliance.

The agency's highest-ranking executive and its chief information security officer (CISO) must sign whichever form the agency submits. If the agency does not have a CISO, the senior officer responsible for the agency's cybersecurity program must sign it instead. Most Big I New York members do not have a CISO. If the highest-ranking executive and the person responsible for cybersecurity are the same person, that person must sign it in both spaces.

Your agency must retain the documents supporting its filing for five years.

If you are one of the 92% of Big I New York members who qualify for the limited exemption, you must certify compliance or acknowledge noncompliance only with those sections of the regulation that apply to you.

Two things that have not changed:

Your licensed employees who your agency's cybersecurity program covers do not have to submit either of these forms. They should have submitted a Notice of Exemption and given Section 500.19(b) as the reason.
The regulation does not require the agency or its licensed employees to submit the Notice of Exemption again unless something has changed. An employee who changed employers or their name must submit a new one. So does an agency that grew too large to qualify under one of the three criteria for the limited exemption. If none of that is the case, the regulation does not require a Notice of Exemption every year. We have spoken with members who have done this unnecessary work.

More information is always available at: