As small businesses, many of our customers qualify for a 500.19(a) limited exemption or other exemptions for upcoming deadlines under NYSDFS regulations. Understanding if, and which type of, exemption you qualify for is critical to understanding with which components of the updated Amendment you are required to comply.

There are three ways a Covered Entity may qualify for a 500.19(a) limited exemption:

1. A Covered Entity and its Affiliates combined must have fewer than 20 employees and independent contractors (500.19(a)(1));
2. A Covered Entity must have less than $7,500,000 in gross annual revenue in each of the last 3 fiscal years from all of its business operations combined with its Affiliates’ business operations in New York State (500.19(a)(2)); or
3. A Covered Entity must have less than $15,000,000 in year-end total assets, including assets of all Affiliates.

To understand if you qualify for a full or other limited exemption, refer to the NYSDFS site or the Am I Exempt from DFS’s Cybersecurity Regulation flowchart.

STILL TIME TO SUBMIT COMPLIANCE NOTIFICATIONS

April 15, 2024

Exemptions must be requested and approved prior to certification. If you qualify for a Limited Exemption, such as the 500.19(a) exemption above, you must still certify annually. If you qualify for a Full Exemption, you must still submit your Notice of Exemption annually.

Although due by April 15, 2024, if you have not yet submitted your annual compliance notification, NYS DFS is still accepting them through the DFS Portal.

UPCOMING DEADLINES

Below are requirements that will be effective for all Covered Entities, including those that qualify for exemptions under Sections 500.19 (a) of the amended Cybersecurity Regulation. 

If you are a DFS-licensed entity that is not a Class A company and does not quality for exemptions under the amended Cybersecurity Regulation, please refer to the Cybersecurity Implementation Timeline for Covered Entities for your full list of requirements.

November 1, 2024

• Implement multifactor authentication (MFA) requirements outlined in Section 500.12(a) if you have not already done so.
• Provide all personnel at your business at least annual cybersecurity awareness training.

May 1, 2025

• Implement enhanced requirements regarding limiting user access privileges, including privileged account access.
• Review access privileges and remove or disable accounts and access that are no longer necessary.
• Disable or securely configure all protocols that permit remote control of devices.
• Promptly terminate access following personnel departures.
• Implement a reasonable written password policy to the extent you use passwords.

NYSDFS has resources to help you better understand the Amendment and additional requirements Exempt and Partially Exempt Entities (Including 500.19(a), (c), and (d) ) | Standard Entities | Class A Entities | Cybersecurity Resource Center

WE ARE HERE TO HELP

The NYSDFS Amendment can be complex and confusing. If you are a customer and would like to discuss and clarify your requirements, or if you are noncompliant and would like our help with annual NYSDFS Risk Assessments or Cybersecurity Policy development, please contact your Customer Success Specialist or support@orbitalfire.com for assistance.

For small businesses looking for assistance with their NYSDFS compliance, or any other cybersecurity strategy assistance, reach out to sales@orbitalfire.com.