This article in the cyber series is for those individuals who may lack a significant physical or financial presence in New York state. Just because a person lacks a physical or financial presence in the state though, does not mean that the New York cyber security regulation (23 NYCRR 500) does not apply to him or her.
What follows is a step-by-step guide to determine if the regulation applies to your agency and how.
Step one
Are you licensed to sell insurance in New York state? If the answer to that question is yes, then New York cyber security regulation applies to you.
The regulation uses the term covered entity to describe those persons who are required to follow the regulation. Covered entity is defined as any person operating an authorization from the New York State Department of Financial Services.
There’s no distinction made between whether a covered entity has a presence in New York state or not. More information on covered entities can be found here.
Step two
Once you determine if you are a covered entity, the next step is to figure out what type of covered entity you are. The regulation creates several classes of covered entities: regular covered entities, limited-exempt covered entities and Class A covered entities.
The size and profitability of a covered entity will determine exactly which type of covered entity your agency is and what you must do to be in compliance with the regulation.
Limited exemption:
Under the regulation, a covered entity will qualify for the limited exemption if it has:
- fewer than 20 employees and independent contractors, including affiliates;
- less than $7.5 million in gross annual revenue in each of the last three fiscal years from all business operations of the covered entity and the business operations in New York of the covered entity’s affiliates; or
- less than $15 million in year-end total assets, including assets of all affiliates.
The limited exemption went through a potentially significant amendment in 2023, which are likely to be particularly relevant to covered entities located outside of New York state.
Removed from the above employee threshold was a requirement that the employees are located in New York state.
Further, previously the gross annual revenue threshold was limited to New York state business operations. Both the amended employee and gross annual revenue threshold now account for out-of-state employees and business, respectively.
For out-of-state covered entities this means you now need to consider all employees and gross annual revenue, regardless of location, when calculating the limited exemption.
Learn more about the limited exemption here.
Class A companies
On the other end of the spectrum are Class A companies.
These companies are large, covered entities. By virtue of their size, they are required to do more than regular covered entities to protect their information systems.
Any covered entity with at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in this state of the covered entity’s affiliates and:
- over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or
- over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all its affiliates no matter where located.
When calculating the number of employees and gross annual revenue, only those affiliates that share information systems, cyber security resources or all or any part of a cyber security program with the covered entity are included.
Note the “or” between the employee and gross annual revenue. A covered entity only needs to meet the threshold of one of the above to be considered a Class A company.
Step three
Once you determine which type of covered entity your agency is, you will be able to ascertain what sections of the regulation apply to you:
Compliance for covered entities
Compliance for Class A companies
Compliance for limited-exempt entities
Additional resources
Remember: You need to prove you were in compliance with New York state’s cyber security regulations for 2023 by Monday, April 15, 2024. If you are licensed in New York state, this compliance needs to be completed each year.
Do you need help? PIA Northeast members can contact the PIA Industry Resource Center, which can offer step-by-step directions to make this process easier. Call (800) 424-4244 or email resourcecenter@pia.org.
Navigating the new landscape: Key changes to 23 NYCRR 500
Cyber series: Let’s talk about covered entities
Cyber series: Understanding the limited exemption for covered entities
Cyber series: Non-New York businesses advice
Cyber series: Compliance for covered entities
Cyber series: What is a Class A company?
Cyber series: Compliance for Class A companies
Available to PIA Northeast members: N.Y. cyber security regulation tool kit
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.
