The NYDFS breaks down the exemptions into nine types of entities that fall into five categories.
Exemption category 1: Small Covered Entities
- Exemption type 1: Covered Entities with fewer than 10 employees, including any independent contractors.
- Exemption type 2: Covered Entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years.
- Exemption type 3: Covered Entities with less than $10,000,000 in year-end total assets.
These Covered Entities are exempt from the requirements of the following sections:
- 500.04 (Chief Information Security Officer)
- 500.05 (Penetration Testing and Vulnerability Assessments)
- 500.06 (Audit Trail)
- 500.08 (Application Security)
- 500.10 (Cybersecurity Personnel and Intelligence)
- 500.12 (Multi-Factor Authentication)
- 500.14 (Training and Monitoring)
- 500.15 (Encryption of Nonpublic Information)
- 500.16 (Incident Response Plan)
Exemption category 2: Employees, agents, representatives, and designees
- Exemption type 4: Employees, agents, representatives, or designees of a Covered Entity who are covered by the cybersecurity program of the Covered Entity.
Because the definition of a Covered Entity is so broad, employees and other representatives of an organization may meet the definition of a Covered Entity themselves. If this applies, such Covered Entities are exempt from the substantive requirements of the Regulation.
Exemption category 3: Covered Entities without access to information systems or nonpublic information
- Exemption type 5: Covered Entities that don’t operate, maintain, utilize, or control any information systems, and those not required to own, access, generate, receive, or possess nonpublic information.
Such Covered Entities are exempt from the same sections as those in category 1, plus:
- 500.02 (Cybersecurity Program)
- 500.03 (Cybersecurity Policy)
Exemption category 4: Insurance covered entities without access to nonaffiliate nonpublic information
- Exemption type 6: Covered Entities that are not required to control, own, access, generate, receive, or possess nonpublic information other than information relating to its corporate parent company or affiliates.
Covered Entities under exemption Category 4 are exempt from the same sections as those in category 3.
Exemption category 5: Special insurance organizations and certain reinsurers
- Exemption type 7: Persons subject to New York Insurance Law section 1110 (relating to charitable annuity societies).
- Exemption type 8: Persons subject to New York Insurance Law section 5904 (relating to risk retention groups not chartered in New York).
- Exemption type 9: Any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.
Such individuals and non-governmental entities “are exempt from the requirements of the Cybersecurity Regulations altogether, provided that they do not otherwise qualify as a Covered Entity for purposes of the Cybersecurity Regulations.”
Any Covered Entity that determines that it is exempt under one or more of these categories must file a Notice of Exemptions within 30 days of that determination.
Want to read more on the NYDFS Cybersecurity Requirements? Download our free green paper to learn how implementing the international standard ISO 27001 will help you meet the Regulation: NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard.