N.Y.: New York cyber-compliance certification due April 15

February 8, 2022

New York’s Cybersecurity Regulation (23 NYCRR 500) requires all insurance entities that hold a New York state insurance license—referred to as covered entities in the regulation—to file a certification of compliance with the New York Department of Financial Services by Friday, April 15, 2022. The deadline was moved permanently in 2020, from Feb. 15, to April 15 each year.

Tips for filing

Multiple licenses. Covered entities are required to file a certification of compliance for each New York state insurance license they hold. This means that if an agency has three licenses, it is required to file three different certifications of compliance.

Record keeping. After completing a certification of compliance, agencies should receive a receipt from the DFS. All certification receipts will start with the letter C. However, the receipt will not contain an agency’s license number. For entities with multiple licenses, PIANY recommends that agents make a note on each receipt to indicate which license the certification is for. This will make it easier to keep track if there is an issue with the certifications and it will reduce the chances that a license could fall through the cracks.

Licensed employees. While licensed agency employees are considered covered entities, they are exempt from many of the reporting requirements because they are covered by their agency’s cyber security program. Licensed employees still are required to file a one-time exemption, but they are not required to file a certification of compliance. Instead, they would be covered under their agency’s certification. With this in mind, it is important for each agency to review the list of employees who are covered by their certifications to ensure that the list is accurate from year to year. Agencies want to avoid any situation in which they are certifying employees who no longer work for the agency.

Exemptions. While the certification of compliance must be filed every year, covered entities that qualify for a limited exemption, are required to file for the exemption only once. However, they should be aware that a covered entity is required to amend the exemption filing within 180 days if they lose eligibility.

Resources for certification

To help insurance agents who do business in New York state stay up-to-date on 23 NYCRR 500, PIA offers cyber resources through its Privacy Compliance Central. For questions about the regulation, email PIA’s Industry Resource Center.

To learn more about the certification process, access the DFS’ instructions for certification.

Get involved

If you want to get involved with PIANY’s legislative and advocacy work, there are many ways to engage with the association:

About the author…

Bradford J. Lachut, Esq.

Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.

Related stories…

Do carrier ratings really matter?

Do carrier ratings really matter?

In a word: Yes. They do. There are organizations that rate the financial condition of insurance companies, such as...

Share This