Join PIA
PIA
Professional Insurance Agents
Members-only

Employees of PIA member agencies may log on below:

Remember me

Register for PIA website | Password help

News and publications

National Mar 6, 2018

PIA clarifies failure to file N.Y. cybersecurity Certification of Compliance

Clarifying potential confusion: Individually Licensed Employees DO NOT need to Certify but still need to file an Exemption

Recent uncertainty has prompted PIANY to share the following questions and published answers regarding the New York cybersecurity regulations. Your association will continue to seek clarification and share obtained information on limited exemptions, deadline compliance and other questions our members may have.

Q1. Am I required to file a Certificate of Compliance if I filed for a limited exemption under 23 NYCRR Part 500.19(b) [An employee, agent, representative or designee of a Covered Entity]? A. NO. The Certification of Compliance is NOT required if you filed an exemption under 23 NYCRR 500.19(b)! Nowhere in the regulation does it state that a 500.19(b) exemption must file a Certification of Compliance. It specifically and clearly states that 500.19(b) Covered Entities are "EXEMPT" (see below).

Q2. But ? the letter specifically states: "The Certificate of Compliance is required even if you filed for a limited exemption under 23 NYCRR Part 500.19"1. A. Yes, it does. But 500.19 has many parts and some of them would require you to file a Certification of Compliance. 500.19(b) specifically exempts employees, agents and representatives from the cyber regulation (except for the requirement to file the exemption), so filing a Certification of Compliance would in effect be certifying that you didn’t do anything and, therefore, doesn’t make any sense.

PIANY has reached out to the New York State Department of Financial Services with a request for them to clarify this provision immediately.

Section 500.19 Exemptions

(b) An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.

(e) A Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption in the form set forth as Appendix B within 30 days of the determination that the Covered Entity is exempt.

Section 500.17 Notices to Superintendent

(b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by Feb. 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

NATIONAL CONNECTICUT NEW HAMPSHIRE NEW JERSEY NEW YORK Vermont PIA in the News