Cyber series: What is a Class A company?

February 27, 2024

When New York state’s cyber security regulation (23 NYCRR 500) was amended at the end of 2023, it included the creation of a new type of covered entity referred to as Class A companies.

Due to their size, these companies are required to go above and beyond what regular covered entities are required to do under the regulation. This article will examine the definition of a Class A company.

A-Team

Under the regulation, a Class A company is defined as any covered entity that meets a certain employee and asset threshold:

  • any covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity business operations in this state of the covered entity’s affiliates and
    • over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all its affiliates no matter where located; or
    • over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all its affiliates no matter where located.

Note the “or” between the employee and gross annual revenue. A covered entity only needs to meet the threshold of one of the above to be considered a Class A company.

When calculating the number of employees and gross annual revenue, only those affiliates that share information systems, cyber security resources or all or any part of a cyber security program with the covered entity are included.

Additional resources

Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.

Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.

Navigating the new landscape: Key changes to 23 NYCRR 500

Cyber series: Let’s talk about covered entities

Cyber series: Understanding the limited exemption for covered entities

Cyber series: Non-New York businesses advice

Cyber series: Compliance for covered entities

Cyber series: What is a Class A company?

Cyber series: Compliance for Class A companies

Available to PIA Northeast members: N.Y. cyber security regulation tool kit

Bradford J. Lachut, Esq.
PIA Northeast |  + posts

Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.

Your ad could be here. ads@pia.org

Related stories…

Conn.: Legislative session recap: Reform achieved, risks mitigated and the road ahead 

Conn.: Legislative session recap: Reform achieved, risks mitigated and the road ahead 

At the start of the 2025 Connecticut legislative session, PIACT set an ambitious goal to make significant reforms to the state’s excess and surplus lines placement process; protect consumers from increased premiums; and protect producers from errors-and-omissions exposures. Now with the 2025 session in the rearview mirror, PIACT can claim with confidence: Mission accomplished.  With the passage of H.B.6981, PIACT secured a major win that will modernize the way brokers access the E&S market. Meanwhile, PIACT engaged in advocacy on bills related to flood insurance disclosures, dog breed underwriting and fossil fuel infrastructure surcharges—shaping outcomes that reflect the realities and needs of producers and consumers alike.

PIANJ | PIANY Annual Conference—a chart-topping success for insurance professionals

PIANJ | PIANY Annual Conference—a chart-topping success for insurance professionals

Some 1,700 insurance professionals from across the Northeast—record-breaking attendance since the COVID-19 pandemic—kicked up their boots and took center stage at the PIANJ | PIANY Annual Conference June 8-10, 2025, at the Hard Rock Hotel Casino, Atlantic City, N.J. Speakers, education sessions and a panel on artificial intelligence all provided attendees with educational opportunities—while the sold-out trade show and various social events provided the backdrop to numerous networking opportunities.

Share This