Skip Ribbon Commands
Skip to main content
Aug 14
Here's What To Do If the DFS Emailed You About Cybersecurity

A lot of members have been contacting us today about emails they received from the NYS Department of Financial Services about the Cybersecurity Requirements for Financial Services Companies regulation. These emails stated that the recipient had not filed the Certification of Compliance required by the regulation. The deadline for submitting the certification was June 1, 2020. 

If individuals within your agency got these emails, here are some possible explanations and steps you can take:

  • If it appears that the email was addressed to you as an individual, it is very possible that you inadvertently checked incorrect boxes when you filed the Notice of Exemption for your individual license in 2019. This is a very easy and common mistake; many of our members have done it. Unfortunately, there is no method available to the public for you to check the filing you made last year.

If you think this may be what happened, we suggest that you log in to the DFS Cybersecurity Portal, click on the Exemption button, and re-submit your Notice of Exemption. The link to the portal can be found by visiting, scrolling down the page to the area labeled Industry Quicklinks, and clicking the box for Cybersecurity Resource Center. 

Where the form asks for the reason why you are exempt, do not check the boxes for Section 500.19(a)(1), (2) or (3). If you check them, the DFS computer system will think you are an agency that must submit the Certification of Compliance. Instead, check only the box for Section 500.19(b). This will tell the DFS computer system that you are an employee, agent, representative or designee of your agency. Consequently, they will not expect a Certification of Compliance for your individual license number. 

Step-by-step instructions for filing are available on the Compliance Resources page in the Cybersecurity Resources section of our website. Click the Cybersecurity button on the home page at to visit this section. Be aware that this is a special benefit only for Big I NY members, so you must log in to the site first.

  • If it appears that the email was addressed to your agency as a whole, and you are not certain whether a Certification of Compliance was filed for the agency’s license number by the June 1 deadline, we strongly urge you to have someone file it at the earliest possible moment. Step-by-step instructions for this filing are also available on the Compliance Resources page.
  • If it appears that the email was addressed to your agency as a whole, and you have confirmation pages from when your agency filed the certification this year, we suggest that you send an email to the address given in the body of the message from the DFS. Do not attach a copy of the confirmation page, as the DFS computer security system will reject emails containing unsolicited attachments. Instead, provide the confirmation number (or numbers, if you have more than one confirmation page) in the body of your message and ask them to advise whether you need to do anything else.
We hope this helps. Don't forget to regularly visit our Cybersecurity Resources page for information to help with your ongoing efforts to protect your computer systems and your customers' private information.

UPDATE: Big I NY has been in contact with the DFS on this matter, especially as it relates to those agencies who received the email despite having filed the Certification of Compliance on time this year. We will post again in this space when we hear something back from them.


There are no comments for this post.

 ‭(Hidden)‬ Blog Tools