“I’m a small agency, so the New York regulation doesn’t apply to me, right?” This is perhaps the most common question, or rather misunderstanding, related to the New York Department of Financial Services cybersecurity regulation.
At a recent conference in the northeast, we heard “I only have four employees” or “I only do about $1M in business” a dozen times. The implication? “I’m a small agency, I don’t have to comply.”
Unfortunately, this is entirely false. Albeit, a common misconception.
The reality is that the exemptions that apply to small insurance agencies operating in New York are quite limited. Let’s look at precisely which provisions are and are not required.
First, who has a limited exemption?
- Covered Entities with fewer than 10 employees (this includes independent contractors or affiliates)
- Covered Entities with less than $5M in gross annual revenue in each of the last three fiscal years from New York business operations
- Covered Entities with less than $10M in year-end total assets
So, you qualify for an exemption? Let’s start with the good news. You do not have to:
- Appoint a Chief Information Security Officer
- Conduct penetration testing or vulnerability assessments
- Maintain an audit trail
- Maintain a written procedure for ensuring application security
- Utilize qualified cybersecurity personnel, either on staff or through a consultant
- Implement multi-factor authentication
- Conduct training and monitoring
- Implement encryption of Nonpublic Information
- Develop and implement an incident response plan
You’ll notice that small and mid-size agencies are generally exempt from some of the more technical requirements of Reg 500. But there are still many provisions that apply. Even the smallest agencies are required to:
- Implement and maintain a Cybersecurity Program
- Implement and follow a Cybersecurity Policy
- Ensure access to Nonpublic Information and Information Systems is managed appropriately
- Conduct periodic Risk Assessments on key threats to Nonpublic Information
- Implement and follow a Third-Party Service Provider Security Policy, including conducting periodic diligence on third parties
- Ensure limitations on data retention
- Provide notice of any Cybersecurity Event, as well as annual attestation of compliance with Reg 500 to the Superintendent of NY DFS
In short, no agency is entirely exempt. In fact, all agencies have several requirements and must build the fundamentals of a Cybersecurity Program.
If you’re a small or mid-size agency and have a limited exemption, Securibly can help you comply quickly and cost-effectively. We’d love to be a resource!