Skip Ribbon Commands
Skip to main content
Nov 02
New York's Cyber Regulation is Changing. Here's What it Means for You.

​As we reported yesterday​, the New York State Department of Financial Services has adopted its long-planned amendments to its Cybersecurity Requirements for Financial Services Companies regulation. We have prepared a summary of the changes​ in order of the dates when compliance is required. 

What Happened:

For more than a year, the New York State Department of Financial Services (NYSDFS) has been working on amendments to the state’s cybersecurity regulation. On Wednesday, those changes were made final. Throughout the amendment process, Big I NY advocated strongly for many changes that will benefit independent insurance agencies and their customers, including an expanded limited exemption and total exemption for inactive licensees. We also urged the department to eliminate the requirement that agents and carriers "cross police" each other as third party service providers, and eliminate the annual certifiaction of compliance requirement, however these suggestions were not adopted.

What it Means For You:

The most common question we have heard from agents is, “are these changes good?” The answer is it’s a mixed bag. The following is a brief summary of the key provisions. A detailed summary of all changes, including effective dates, is available here. 

Expanded Limited Exemption: A welcome change is the expanded criteria for who qualifies for a “limited exemption.” The limited exemption exempts small and mid sized entities from the most burdensome (but not all) requirements. An estimated 93% of Big I NY members will now qualify under the new criteria:

  • Fewer than 20 employees (previously 10) or;
  • Less than $7.5 million in gross annual revenue over the last 3 fiscal years (previously $5 million); or
  • Less than $15 million in year end assets (previously $10 million)
Exemption for Inactive Licensees: Licensees who have no carrier appointments will now be completely exepmt from the regulation.

Changes to Certification of Compliance: The compliance filing that you must submit every year by April 15 will now require you to identify requirements under the regulation where your agency was not in material compliance the year before. You will also have to explain whether you have achieved compliance and, if not, what you plan to do about it. 

The filing will also require two signatures - one from the agency's senior officer, the other from the officer or manager in charge of cybersecurity. Big I NY repeatedly opposed these changes. We plan to ask NYSDFS for clarification on how agencies should handle that requirement when both roles are filled by the same person.

Multi Factor Authentication and Cyber Training:  Beginning November 1st, 2025, all licenced entities (limited-exempt or not) must use multi-factor authentication for access to their information systems. Beginning April 29th, 2024, all entities must provide their employees with cyberseucrity awareness and social engineering training.

Big I NY Has Your Back:

We plan to provide videos and other media to further explain the changes. Also, watch for your cha​nce to register for a special Gear Up presentation on the amendments later this month.

Don't forget that you can access our cybersecurity-related information at anytime by visiting and by checking the Cyber category in our Newsfeed.

Some of you may need individual help with the changes, and we're prepared to aid you with that as well. We are expanding our technical consulting service​ to include cybersecurity regulation compliance assistance. For an affordable hourly fee, you can get the individual attention you need to meet your obligations under the regulation. 

Any change in laws or regulations that effect your business will be confusing and stressful, but we are hear to make it as easy for you as possible. Check back here often as we add new content to help you with compliance.


There are no comments for this post.

 ‭(Hidden)‬ Blog Tools