By the terms of 23 NYCRR 500.19(e), Covered Entities that have determined they qualify for a limited exemption from compliance under 23 NYCRR 500.19(a)-(d) of New York’s new Cybersecurity Regulation — as of August 28, 2017 — are required to file a Notice of Exemption with the New York Department of Financial Services (NYDFS) on or prior to September 28, 2017.
The first compliance date of August 28, 2017 in New York’s cybersecurity regulation, and the date for Covered Entities to determine whether they qualify for a limited exemption from the regulation date for Covered Entities to make such a determination, has now come and gone. On the heels of these key dates, the New York Department of Financial Services (NYDFS) has updated two of the Frequently Asked Questions, Questions 1 and 4, in an effort to clarify the exemption requirements.
First, NYDFS addressed whether a Covered Entity is “entitled to an exemption under Section 500.19(b) if that Covered Entity is an employee, agent, representative or designee of more than one other Covered Entity?” NYDFS clarified:
Section 500.19(b) states that a Covered Entity who is an “employee, agent, representative or designee of a Covered Entity . . . is exempt from” 23 NYCRR Part 500 and “need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity” (emphasis added). This exemption requires an entire employee, agent, representative or designee to be fully covered by the program of another Covered Entity. Therefore, a Covered Entity who is an employee, agent, representative or designee of more than one other Covered Entity will only qualify for a Section 500.19(b) exemption where the cybersecurity program of at least one of its parent Covered Entities fully covers all aspects of the employee’s, agent’s, representative’s or designee’s business.
Frequently Asked Questions, Question 1; See also ELANY Bulletin 2017-26 dated September 1, 2017.
Next, NYDFS addressed whether a Covered Entity can “file a notice of exemption on behalf of its employees or agents[.]” NYDFS clarified:
By permission, the Department will approve certain Covered Entities to file notices of exemption on behalf of their employees or captive agents who are also Covered Entities. This option will only be available for filings of 50 or more employees or captive agents and only if all employees or captive agents qualify for the same exemptions. Covered Entities with over 50 employees or agents on whose behalf they have authority to file should contact the Department at CyberRegComments@dfs.ny.gov from the email to which your Cybersecurity portal account is associated…. The Department will coordinate with the Covered Entity to submit a one-time filing form to effectuate an exemption filing for multiple covered entities… The Department emphasizes that the employee or captive agent, for whom the Covered Entity is filing, continues to be ultimately responsible in ensuring compliance with 23 NYCRR Part 500. It remains the responsibility of the employee or captive agent to notify the Department of any changes in their status.
Frequently Asked Questions, Question 4; See also, ELANY Bulletin 2017-27 dated September 11, 2017.
One issue that remains unanswered is whether a surplus line insurer domiciled in another state but eligible in New York would be a “Covered Entity.” 23 NYCRR Section 500.01 (c) is arguably inapplicable since a surplus lines insurer is, by definition, a nonadmitted (unlicensed) entity and, therefore, not an entity defined as a “Covered Entity” under that section of the regulation. A similar question could be raised with regard to an alien insurer organized as a United States Branch entered through a state other than New York.