Technology Blog »

Am I exempt from 23 NYCRR 500?


If you have been wondering if you are exempt from NYS Part 500 this article may help you figure it out.  There are 5 categories of exceptions including limited exemptions.

Exemption Exemption Category Type Description
Exemption Category 1 Small Covered Entities - (i) Covered Entities with fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity (Section 500.19(a)(1)); (ii) Covered Entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates (Section 500.19(a)(2)); and (iii) Covered Entities with less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates (Section 500.19(a)(3)). 
Exemption Category 2 Employees, Agents, Representatives and Designees - Employees, agents, representatives or designees of a Covered Entity who are covered by the cybersecurity program of the Covered Entity (Section 500.19(b)).
Exemption Category 3 Covered Entities without Access to Information Systems or Nonpublic Information - Covered Entities that do not directly or indirectly operate, maintain, utilize or control any Information Systems, and that do not, and are not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information (Section 500.19(c)). 
Exemption Category 4 Insurance Covered Entities without Access to Non Affiliate Nonpublic Information - Covered Entities under Article 70 of the Insurance Law that do not and are not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) (Section 500.19(d)). 
Exemption Category 5 Special Insurance Organizations and Certain Reinsurers - Persons subject to New York Insurance Law Section 1110; Persons subject to New York Insurance Law Section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125 (Section 500.19(f)).

If you are exempt you have to:

  1. File a Cybersecurity Notices of Exemption.
  2. Implement elements of the cycler security program that you are required to implement.
  3. Depending on your exemption category you will still need to build cyber security system. 

Cybersecurity Program requirements are outlined in the following table:

Requirement No Exemption Exemption Category 1 Exemption Category 2 Exemption Category 3 Exemption Category 4 Exemption Category 5
Section 500.02 Cybersecurity Program APPLICABLE APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.03 Cybersecurity Policy APPLICABLE APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.04 Chief Information Security Officer APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.05 Penetration Testing and Vulnerability Assessments APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.06 Audit Trail APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.07 Access Privileges APPLICABLE APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.08 Application Security APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.09 Risk Assessment APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.10 Cybersecurity Personnel and Intelligence APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.11 Third Party Service Provider Security Policy APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.12 Multi-Factor Authentication APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.13 Limitations on Data Retention APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.14 Training and Monitoring APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.15 Encryption of Nonpublic Information APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.16 Incident Response Plan APPLICABLE EXEMPT EXEMPT EXEMPT EXEMPT EXEMPT
Section 500.17 Notices to Superintendent APPLICABLE APPLICABLE EXEMPT APPLICABLE APPLICABLE EXEMPT
Section 500.19 Notice of Exemption within 30 Days of Determination APPLICABLE APPLICABLE APPLICABLE APPLICABLE APPLICABLE EXEMPT