Skip Ribbon Commands
Skip to main content
Dec 04
Limited Exempt Agencies: Here Are the Sections of the Cyber Reg You Must Comply With


​With the New York State Department of Financial Services' (DFS) recent adoption of the second amendment to the Cybersecurity Requirements For Financial Services Companies regulation​, members have naturally been contacting us to ask what they're required to do. The overwhelming majority of Big I NY members qualify for the limited exemption. If you're agency is one of them, here are the sections of the regulation you must comply with regardless of your agency's size:

  • Section 500.2, Cybersecurity Program - you must have a program in place to protect your computer network and any nonpublic information (NPI) stored on it. The program is made up of the devices you use, the protective devices and software you have in place, and the policies and procedures the users of your network follow.
  • Section 500.3, Cybersecurity Policy - you must have written policies and procedures ​for protecting your computer systems and the NPI stored on them.
  • Section 500.7, Access Privileges and Management - to the extent it's feasible for your agency, your cybersecurity policy  must set limits on the parts of your system and NPI different users can access. It also must set limits on system administrator accounts and set procedures for regular management of all users' access.
  • ​Section 500.9, Risk Assessment - at least annually, you must perform an assessment of your cybersecurity risks, identify system vulnerabilities, and develop a plan to address them.
  • Section 500.11, Third-Party Service Provider Security Policy - your cybersecurity policy must include policies and procedures for ​ensuring the security of your systems and NPI that are accessible to, or held by, third-party service providers.
  • Section 500.12, Multi-Factor Authentication - by November 1, 2024, your agency will have to implement ​​​​authentication through verification of at least two types of factors such as passwords, tokens, and face scans.
  • Section 500.13, Asset Management and Data Retention Requirements - your agency's cybersecurity policy must include policies and procedures for periodically and securely disposing of NPI you no longer need. By November 1, 2025, you will also have to maintain a written inventory of all your computer systems' devices, including who has them and where.
  • Section 500.14, Monitoring and Training - by November 1, 2024, you must provide regular cybersecurity awareness training to the users of your computer systems.
  • Section 500.17, Notices to Superintendent - you must notify DFS within 72 hours of determining that certain types of cybersecurity incidents have occurred. Also, between January 1 and April 15 each year, you must submit to DFS either a certification that your agency was in material compliance with the regulation the prior calendar year or an acknowledgement that you were not in material compliance with one or more sections. If it's that second one, you must report what you are doing about it.

For more information, visit:

More resources will be available soon. Watch our bi-weekly newsletters and this website for announcements.​​​


There are no comments for this post.

 ‭(Hidden)‬ Blog Tools