NYDFS Cybersecurity Compliance & Filing Help
All businesses subject to NYDFS Cybersecurity Regulation, whether exempt or not, must comply with certain core requirements. Entities without an exemption must comply with the entire framework.
Full Regulatory Compliance for Non-Exempt Entities
Organizations that do not qualify for any exemptions under the NYDFS Cybersecurity Regulation are required to comply with and file documentation for all of the following sections in their entirety.
Employees
Fewer than 10 employees (including contractors) working in New York or connected to the business of the Covered Entity or its Affiliates.
Requirements to Qualify for the 500.19(a) Exemption
Gross Annual Revenue
Has less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations
Year-End Total Assets
Has less than $10,000,000 in year-end total assets, including affiliates.
Even if you qualify for the 500.19(a) exemption, you are still required to file a formal Notice of Exemption with the New York Department of Financial Services (NYDFS) through their online portal by April 15 each year. Failure to file can result in penalties or being flagged as non-compliant.
Minimum Cybersecurity Standards Required Under the 500.19(a) Exemption
Even if you qualify for the 500.19(a) exemption, these baseline cybersecurity controls must still be implemented and maintained.
Maintaining a formal cybersecurity program designed to protect your information systems and nonpublic information.
Adopting a cybersecurity policy that addresses controls such as access, data governance, business continuity, and incident response.
Conducting a documented risk assessment that evaluates internal and external cybersecurity risks.
Managing and limiting user access privileges, and reviewing access rights periodically.
Implementing security policies for third-party service providers, including written agreements and ongoing monitoring.
- Applying encryption for nonpublic information in transit and at rest, or implementing alternative controls where encryption is not feasible.
Complying with 500.13 data retention requirements, including policies for secure data disposal.
Note: Beginning November 1, 2025, this section will also require formal asset management practices.Monitoring for and reporting cybersecurity events to NYDFS within 72 hours of discovery.
Offering cybersecurity awareness training to all staff on a regular basis.
Implementing multi-factor authentication (MFA) for access to sensitive systems.
Remaining compliant with these requirements helps safeguard your business, avoid regulatory action, and protect your clients and stakeholders. Filing the exemption is not the end, it's the beginning of maintaining smart, secure operations.