Building on our previous exploration of “covered entities” under New York’s cyber security regulation (23 NYCRR 500), this article delves into another critical aspect: the limited exemption for covered entities.
The limited exemption underwent significant changes during the amendment process that was finalized in 2023. Understanding the amended limited exemption is critical to understanding your responsibilities under the regulation.
Understanding the limited exemption
Those covered entities that qualify for the limited exemption are excluded from many of the requirements of the regulation. The exemption is a recognition that some of the more stringent requirements of the regulation may not be feasible or necessary for all entities, particularly those of a smaller scale.
Who qualifies for the exemption?
The section of the cyber security regulation that addresses exemptions to the regulation is 23 NYCRR 500.19.
It is also a section that saw meaningful updates during the amendment process that was finalized in 2023. Many of those changes will be explored in future articles. Of importance now are the changes made to the limited exemption. The limited exemption received an update that will likely mean more resident covered entities qualify for the limited exemption than in years past. However, it could simultaneously mean that some covered entities, especially nonresidents, will lose the exemption they previously enjoyed. Under the amended regulation, a covered entity will qualify for the limited exemption if it has:
- fewer than 20 employees and independent contractors, including affiliates;
- less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the business operations in New York of the covered entity’s affiliates; or
- less than $15 million in year-end total assets, including assets of all affiliates.
Perhaps the most important word in that definition is or. Because of that or a covered entity only must fall under one of the three enumerated factors to qualify for the limited exemption.
For example, an agency with 19 employees, $8 million in gross annual revenue, and $20 million in year-end total assets, would qualify for the limited exemption by lieu of having fewer than 20 employees. The fact that the agency exceeds the thresholds for the other two factors does not disqualify it.
Special note for those with business outside of New York state
One of the larger changes made to the qualifications of limited exemption was not an addition to the regulation, but the removal of some key words. While the thresholds for the limited exemption were expanded, the deletion of some key phrases could have a huge impact on any covered entity with a presence in states outside of New York.
Deleted from the employee threshold was a requirement that the employees be located in New York. Further, previously the gross annual revenue threshold was limited to New York state business operations. Both the amended employee and gross annual revenue threshold now account for out-of-state employees and business, respectively.
What does this mean in the real world? Covered entities now need to consider all employees and gross annual revenue, regardless of location, when calculating the limited exemption. This change could be particularly profound for nonresident covered entities with a large presence in their home state or any other state.
Let’s take the example of a New Jersey agency that holds a nonresident license in New York state. The agency has 22 employees, all in New Jersey. The agency has $9 million in gross annual revenue for the previous three years, but only a $1 million related to New York business. The agency also has $15 million in year-end total assets.
Prior to the 2023 amendments, this agency would have qualified for the limited exemption because its New Jersey employees and revenue were excluded from the calculation. Now this agency will be subject to the full regulation by virtue of having to include its New Jersey employees and revenue.
Filling for the exemption
Those covered entities that qualify for the limited exemption are required to file a notice of exemption with the New York State Department of Financial Services. Instructions for doing so can be found here.
Terminating an exemption
Those covered entities that no longer qualify for the limited exemption are required to terminate their previous notice of exemption with the DFS. Instructions for doing so can be found here.
Implications of the exemption
Qualifying for the exemption relieves covered entities from some of the more onerous requirements of 23 NYCRR 500. However, it’s important to remember that this does not mean a complete exemption from all cyber security measures. Those that qualification for the limited exemption still must comply with significant portions of the regulation including:
- performing a risk assessment;
- developing a cyber security policy and program;
- utilizing multifactor authentication;
- limiting user access;
- conducting employee training; and
- maintaining an asset inventory.
These are only a few of the requirements that those covered entities that qualify for the limited exemption must meet. The full requirements will be discussed in a future article.
As you can see, the limited exemption in 23 NYCRR 500 went through some significant changes. The qualifications for meeting the limited exemption were simultaneously expanded and restricted. Many resident, covered entities now will find themselves under the limited exemption while many nonresident, covered entities may find just the opposite.
For entities navigating this regulation, understanding and applying the exemption effectively can be a key to maintaining both compliance and security.
Additional resources
Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.
Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.
Navigating the new landscape: Key changes to 23 NYCRR 500
Cyber series: Let’s talk about covered entities
Cyber series: Understanding the limited exemption for covered entities
Cyber series: Non-New York businesses advice
Cyber series: Compliance for covered entities
Cyber series: What is a Class A company?
Cyber series: Compliance for Class A companies
Available to PIA Northeast members: N.Y. cyber security regulation tool kit
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.
