What do you need to do?
Start here. We'll walk you through it.
STEP 1 | Determine if you qualify for a limited exemption
Your agency qualifies for a limited exemption if any of the following apply to it:
- Fewer than 10 employees (including independent contractors)
- Less than $10 million in year-end total assets
- Less than $5 million in gross revenue
We at IIABNY are very proud of the hard work and great success we had in expanding the limited exemption, thus allowing more agencies to be included in it and drastically reducing the hardship it presents.
Note: A limited exemption does not get you completely off the hook, but it drastically reduces the number of required actions.
Don't qualify for the limited exemption? Don't worry, we will help you comply.
STEP 2 | Complete the round 1 requirements by August 28
Complete the following actions by August 28, 2017
Agencies with Limited Exemption
File notice of limited exemption with DFS (you have 30 days from this date to submit) | How: Complete online filing
All Agencies (including those with limited exemption)
Agencies WITHOUT Exemption Must Also
Develop an incident response plan
Employ cybersecurity personnel
Note - Many agencies would benefit from the guidance of a cybersecurity professional. We connected with providers across NY to learn which areas each can lend expertese to. The result - a grid of providers for you to choose the right fit for your agency. View the directory
STEP 3 | Annual Certification of Compliance
Completing steps 1 and 2 will fulfill your requirements for 2017. Yay!
Mark February 15, 2018 on your calendar (and every February 15 in the future) That is when you must file your first annual certification of compliance. You will file it the same way you filed your limited exemption – online at the DFS website. You will be certifying that you are in compliance with the DFS Cybersecurity Regulation each year.