New York’s Cybersecurity Regulation (23 NYCRR 500) requires all insurance entities that hold a New York state insurance license—referred to as covered entities in the regulation—to file a certification of compliance with the New York Department of Financial Services by Friday, April 15, 2022. The deadline was moved permanently in 2020, from Feb. 15, to April 15 each year.
Tips for filing
Multiple licenses. Covered entities are required to file a certification of compliance for each New York state insurance license they hold. This means that if an agency has three licenses, it is required to file three different certifications of compliance.
Record keeping. After completing a certification of compliance, agencies should receive a receipt from the DFS. All certification receipts will start with the letter C. However, the receipt will not contain an agency’s license number. For entities with multiple licenses, PIANY recommends that agents make a note on each receipt to indicate which license the certification is for. This will make it easier to keep track if there is an issue with the certifications and it will reduce the chances that a license could fall through the cracks.
Licensed employees. While licensed agency employees are considered covered entities, they are exempt from many of the reporting requirements because they are covered by their agency’s cyber security program. Licensed employees still are required to file a one-time exemption, but they are not required to file a certification of compliance. Instead, they would be covered under their agency’s certification. With this in mind, it is important for each agency to review the list of employees who are covered by their certifications to ensure that the list is accurate from year to year. Agencies want to avoid any situation in which they are certifying employees who no longer work for the agency.
Exemptions. While the certification of compliance must be filed every year, covered entities that qualify for a limited exemption, are required to file for the exemption only once. However, they should be aware that a covered entity is required to amend the exemption filing within 180 days if they lose eligibility.
Resources for certification
To help insurance agents who do business in New York state stay up-to-date on 23 NYCRR 500, PIA offers cyber resources through its Privacy Compliance Central. For questions about the regulation, email PIA’s Industry Resource Center.
To learn more about the certification process, access the DFS’ instructions for certification.
If you want to get involved with PIANY’s legislative and advocacy work, there are many ways to engage with the association: