Am I exempt from 23 NYCRR 500?
If you have been wondering if you are exempt from NYS Part 500 this article may help you figure it out. There are 5 categories of exceptions including limited exemptions.
| Exemption | Exemption Category Type Description |
|---|---|
| Exemption Category 1 | Small Covered Entities - (i) Covered Entities with fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity (Section 500.19(a)(1)); (ii) Covered Entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates (Section 500.19(a)(2)); and (iii) Covered Entities with less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates (Section 500.19(a)(3)). |
| Exemption Category 2 | Employees, Agents, Representatives and Designees - Employees, agents, representatives or designees of a Covered Entity who are covered by the cybersecurity program of the Covered Entity (Section 500.19(b)). |
| Exemption Category 3 | Covered Entities without Access to Information Systems or Nonpublic Information - Covered Entities that do not directly or indirectly operate, maintain, utilize or control any Information Systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information (Section 500.19(c)). |
| Exemption Category 4 | Insurance Covered Entities without Access to Non Affiliate Nonpublic Information - Covered Entities under Article 70 of the Insurance Law that do not and are not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) (Section 500.19(d)). |
| Exemption Category 5 | Special Insurance Organizations and Certain Reinsurers - Persons subject to New York Insurance Law Section 1110; Persons subject to New York Insurance Law Section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125 (Section 500.19(f)). |
If you are exempt you have to:
- File a Cybersecurity Notices of Exemption.
- Implement elements of the cycler security program that you are required to implement.
- Depending on your exemption category you will still need to build cyber security system.
Cybersecurity Program requirements are outlined in the following table:
| Requirement | No Exemption | Exemption Category 1 | Exemption Category 2 | Exemption Category 3 | Exemption Category 4 | Exemption Category 5 |
|---|---|---|---|---|---|---|
| Section 500.02 Cybersecurity Program | APPLICABLE | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.03 Cybersecurity Policy | APPLICABLE | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.04 Chief Information Security Officer | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.05 Penetration Testing and Vulnerability Assessments | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.06 Audit Trail | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.07 Access Privileges | APPLICABLE | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.08 Application Security | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.09 Risk Assessment | APPLICABLE | APPLICABLE | EXEMPT | APPLICABLE | APPLICABLE | EXEMPT |
| Section 500.10 Cybersecurity Personnel and Intelligence | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.11 Third Party Service Provider Security Policy | APPLICABLE | APPLICABLE | EXEMPT | APPLICABLE | APPLICABLE | EXEMPT |
| Section 500.12 Multi-Factor Authentication | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.13 Limitations on Data Retention | APPLICABLE | APPLICABLE | EXEMPT | APPLICABLE | APPLICABLE | EXEMPT |
| Section 500.14 Training and Monitoring | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.15 Encryption of Nonpublic Information | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.16 Incident Response Plan | APPLICABLE | EXEMPT | EXEMPT | EXEMPT | EXEMPT | EXEMPT |
| Section 500.17 Notices to Superintendent | APPLICABLE | APPLICABLE | EXEMPT | APPLICABLE | APPLICABLE | EXEMPT |
| Section 500.19 Notice of Exemption within 30 Days of Determination | APPLICABLE | APPLICABLE | APPLICABLE | APPLICABLE | APPLICABLE | EXEMPT |
Call Now!
