Navigating NY DFS Part 500: Covered Entities and Exemptions

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500.

What is NY DFS Part 500?

23 NYCRR § 500, also referred to as “NY DFS Part 500”, is New York’s cybersecurity law passed in March of 2017 (a copy of which can be found here). NY DFS Part 500 addresses the seriousness of cybersecurity threats facing organizations in today’s technologically driven by regulating certain covered entities‘ implementation of cybersecurity programs. “This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” See 23 NYCRR § 500.00. From the simplest of perspectives, this regulation establishes the minimum cybersecurity requirements for covered entities, e.g. the appointment of a C-Level executive to manage the cybersecurity program, penetration and vulnerability assessments, the implementation of audit trails, access privileges, SDLC methodologies with a focus on security, and so on.

Those who do not understand the risks involved may think these standards seem ‘overkill’. On the other side of the fence, many cybersecurity experts argue this regulation only requires the bare minimum. Irrespective of which side you fall, it is important to remember the organizations this applies to control the world’s currency and, at the very least, should have a cybersecurity program in place to manage not only their risk, but the risk of their clients whose money they hold. While I would recommend that all organizations should have a cybersecurity program tailored to their specific needs, this regulation does not apply to all organizations.

Who does NY DFS Part 500 apply to?

The first step in determining if NY DFS Part 500 applies to a given organization is determining if it is a covered entity under 23 NYCRR § 500.01(c). A covered entity is (1) any person, meaning any individual or any non-governmental entity, including but not limited to partnerships, corporations, branches, agencies, associations, etc., (2) operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization, under the Banking Law, Insurance Law, or Financial Services Law. See 23 NYCRR §§ 500.01(c), (i). More simply, if an organization (broadly defined) operates, or should operate, under Banking, Insurance, or Financial Services Law, that organization is a covered entity for the purposes of 23 NYCRR §§ 500.01(c).

Which Covered Entities Qualify for an Exemption?

It is important to note that, even if a covered entity is ‘exempt’ under 23 NYCRR § 500.19, many of the exemption qualifications described therein only apply to a portion of NY DFS Part 500. As an example, if a covered entity is exempt under 23 NYCRR § 500.19(d), such a covered entity is only exempt from the following section’s requirements: 23 NYCRR §§ 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16. See 23 NYCRR § 500.19(d). The covered entity must still comply with the other requirements under this regulation. The following is a list, providing short descriptions, of the exemptions defined in 23 NYCRR § 500.19:

Exemption Under 23 NYCRR § 500.19(a)

This exemption applies to covered entities that (1) have fewer than 10 employees (including independent contractors) located in New York, or (2) have less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations, or (3) have less than $10,000,000 in year-end total assets.

Qualifying under this exemption makes the entity exempt from the following section’s requirements: 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16.

Exemption Under 23 NYCRR § 500.19(b)

This exemption applies to covered entities that are employees, agents, representatives, or designees of another covered entity. The child covered entity is exempt to the extent they are covered by the parent covered entity’s cybersecurity program.

Exemption Under 23 NYCRR § 500.19(c)

This exemption applies to covered entities that (1) do not directly or indirectly operate, maintain, utilize, or control any information systems, and (2) do not, and is not required to, directly or indirectly control, own, access, generate, receive, or possess nonpublic information.

Qualifying under this exemption makes the entity exempt from the following section’s requirements: 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16.

Exemption Under 23 NYCRR § 500.19(d)

This exemption applies to a covered entity under Article 70 of the Insurance Law that does not, and is not required to, directly or indirectly control, own, access, generate, receive, or possess nonpublic information other than information relating to its corporate parent company (or Affiliates).

Qualifying under this exemption makes the entity exempt from the following section’s requirements: 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16.

A covered entity that qualifies for any of the above exemptions must file a Notice of Exemption (provided in Appendix B of 23 NYCRR § 500) within 30 days of determining the covered entity is exempt. See 23 NYCRR § 500.19(e).

Exemption Under 23 NYCRR § 500.19(f)

This exemption applies to covered entities that qualify as covered entities only because they are subject to Insurance Law §§ 1110, 5904, or any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant 11 NYCRR § 125.

If a covered entity, as of its most recent fiscal year end, ceases to qualify for an exemption, such covered entity shall have 180 days from such fiscal year end to comply with all applicable requirements of 23 NYCRR § 500.