When New York state’s cyber security regulation (23 NYCRR 500) was amended at the end of 2023, it included the creation of a new type of covered entity referred to as Class A companies.
Due to their size, these companies are required to go above and beyond what regular covered entities are required to do under the regulation. This article will examine the definition of a Class A company.
A-Team
Under the regulation, a Class A company is defined as any covered entity that meets a certain employee and asset threshold:
- any covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity business operations in this state of the covered entity’s affiliates and
- over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all its affiliates no matter where located; or
- over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all its affiliates no matter where located.
Note the “or” between the employee and gross annual revenue. A covered entity only needs to meet the threshold of one of the above to be considered a Class A company.
When calculating the number of employees and gross annual revenue, only those affiliates that share information systems, cyber security resources or all or any part of a cyber security program with the covered entity are included.
Additional resources
Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.
Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.
Navigating the new landscape: Key changes to 23 NYCRR 500
Cyber series: Let’s talk about covered entities
Cyber series: Understanding the limited exemption for covered entities
Cyber series: Non-New York businesses advice
Cyber series: Compliance for covered entities
Cyber series: What is a Class A company?
Cyber series: Compliance for Class A companies
Available to PIA Northeast members: N.Y. cyber security regulation tool kit
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.
