In the rapidly evolving digital landscape, cybersecurity is more crucial than ever. This is particularly true in New York, where the state’s cyber security regulation, 23 NYCRR 500, plays a pivotal role. In part two of the PIA’s cyber series, let’s delve into a key aspect of this regulation: the concept of a “covered entity.” Understanding whether you fall under this category is essential, as it dictates your compliance obligations.
So, what does it mean to be a covered entity? Well, the definition of covered entity appears in 23 NYCRR 500.1(e) as follows:
“Covered entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”
But let’s unpack that term piece by piece.
“Covered entity means any person …”
The term ”person” is broader than you might think. For normal people, the term “person” may not seem like something that needs to be defined. But the “people” who write and argue about regulations (mostly attorneys) would disagree. As you might guess, 23 NYCRR 500 does contain a definition of “person.” It encompasses not just individuals, but also entities like partnerships, corporations, branches, agencies or associations. Essentially, it includes both humans and non-human business and governmental entities, as stated in 23 NYCRR 500.1(m).
Applying that back to the term “covered entity,” the regulation applies to any individual (what we might call humans) and non-human business and governmental entities. Basically, everyone and everything. If left there, “covered entity” would be exceptionally expansive. Time to bold some different words.
“… operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law …”
Now we get into what I would call the limiting clause of the definition of “covered entity.” The regulation only applies to those persons operating under or required to operate under some sort of official authorization from the New York Department of Financial Services—don’t think you can get out of compliance by just not getting licensed. An insurance agency or individually licensed agent or broker would fit squarely into the definition of covered entity. Under New York State Insurance Law 2102, no individual or entity is permitted to sell, solicit, or negotiate insurance products in New York unless licensed to do so by the DFS. You can learn more about New York’s licensing rules here.
The physical location of the licensed individual or entity does not matter either. The insurance law and regulation apply to all doing business in New York, whether the person or entity is in New York state or not. Both resident and nonresident agencies, to use the vernacular of the insurance law, are required to be licensed under New York state.
While that is the end of the definition of covered entity, that’s not the end of the discussion.
Not all covered entities are created equal. The regulation includes many places where covered entities of a certain size must do more than what is required of others. While there are other parts of the regulation that don’t apply to certain covered entities at all.
More on that to come …
Additional resources
Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.
Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.
Navigating the new landscape: Key changes to 23 NYCRR 500
Cyber series: Let’s talk about covered entities
Cyber series: Understanding the limited exemption for covered entities
Cyber series: Non-New York businesses advice
Cyber series: Compliance for covered entities
Cyber series: What is a Class A company?
Cyber series: Compliance for Class A companies
Available to PIA Northeast members: N.Y. cyber security regulation tool kit
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.
