Many agencies would benefit from the guidance of a cyber security professional. The Independent Insurance Agents & Brokers of New York connected with providers across New York to learn which areas each can lend expertise to. The result - a directory of providers for you to choose the right fit for your agency.


View the directory

Does your agency currently hold a license to write business in the state of New York?

If so, you must be compliant with a recently implemented new regulation.  23 NYCRR Part 500 was created to require entities that perform business in the state of New York to maintain a cyber security plan.

Step 1 – Determine if you qualify for a limited exemption.

Do you meet at least one of the following criteria?

  • Fewer than 10 employees (including independent contractors)
  • Less than $10 million in year-end total assets (total assets means the combined amount of a company's fixed assets and current assets as recorded on the company's balance sheet)
  • Less than $5 million in gross revenue from New York State businesses


Once, you have confirmed that you are exempt you will need to send a form to the New York Department of Financial Services that establishes your partial exemption status.  This will include creating an account and completing an online form (if you have an excess lines license in the state of New York, use the login for your annual tax filing) (
Click Here)

Step 2 – Complete the round 1 requirements by October 30, 2017.


  1. Complete an assessment of your current cyber standards. There is a template on the Independent Insurance Agents & Brokers of New York website to get you started (Click Here)
  2. Create a written cyber security plan to keep on file and maintain as required.  Again, a template developed by the Independent Insurance Agents & Brokers of New York can be accessed at the Insurors of TN website (Click Here)


Step 3 – Due February 15, 2018

With the exception of individual licensees who filed for a “complete” exemption pursuant to Section 500.19(b) of the regulation, ALL licensed resident and non-resident firms and individuals must file a Certification of Compliance by February 15, 2018. Licensees MUST certify that they are in full compliance with the following requirements:

  • Cybersecurity program
  • Cybersecurity Policy
  • Chief Insurance Security Officer requirement
  • Limitation of user access privileges
  • Cybersecurity personnel in place
  • Incident response plan
  • Notifications to DFS of cybersecurity events


Licensees that filed for a “limited” exemption under Section 500.19(a) of the regulation need to have fully complied with only the following requirements:

  • Cybersecurity program
  • Cybersecurity Policy
  • Limitation of user access privileges
  • Notifications to DFS of cybersecurity events


The New York Department of Financial Services has issued a filing clarification on its secure web portal. After logging on and then clicking on the function to file a Certification of Compliance, a message appears stating that the Certification due this coming February 15th must be filed on or after January 1, 2018. Certifications that were filed during 2017 must be refiled.

In addition to the 2018 Certification of Compliance, the following requirements must all be met by March 1, 2018:

  • Deliver Chief Information Security Officer report on the firm’s cybersecurity program to the firm’s Board
  • Perform penetration testing and monitoring assessments
  • Conduct a risk assessment of the firm’s information systems
  • Institute multi-factor authentication
  • Provide cyber security awareness training for all personnel


Step 4 - Due September 3, 2018


The following are the requirements that must be complied with by September 3rd:

  • Audit Trail (Section 500.06)
  • Application Security (Section 500.08)
  • Limitations on Data Retention (Section 500.13)
  • Monitoring (Section 500.14(a))
  • Encryption of Nonpublic Information (Section 500.15)