Cybersecurity Alert: NYS DFS Clarifies Definition of Individuals Who are Also Covered Entities under 23 NYCCR Part 500

September 22, 2017

Threat Summary

The New York State Department of Financial Services (NYS DFS) recently announced that all captive agents and individuals who are also a Covered Entity as defined by NYS DFS’ Cybersecurity Requirements for Financial Services Companies (“23 NYCCR Part 500”) must file an attestation of compliance with or seek an exemption from the rule before September 27, 2017. This position deviates from the common understanding that an individual is considered compliant with 23 NYCCR Part 500 through their Covered Entity employer’s filing (NYS DFS’s FAQ specifically states “employees who are also covered entities”). NYS DFS defines a Covered Entity as any person who is licensed under NYS banking, financial, or insurance laws. ACA Aponix recommends consulting with legal counsel to determine your filing status.

All individuals who meet the definition of Covered Entity under 23 NYCCR Part 500 are required to file before September 27, 2017. Employees who are Covered Entities will need to file an exemption for their personal license or face penalties including license suspension or revocation.

How Covered Entity Employers Can Help Their Employees File

NYS DFS has created a process that will allow a parent company to register its employees as individuals for the noted exemptions. If a parent agency opts not to bulk register exemptions, then each licensed agent in the agency will need to file their own individual exemption to maintain compliance with 23 NYCCR Part 500.

Given the recent hacker focus on obtaining MNPI for illegal profit, it stands to reason that public firms, investment advisers, board of directors, law firms, and others that hold MNPI will be subject to similar attacks.

How ACA Aponix Can Help

ACA Aponix can help your firm assess its cybersecurity risk and identify vulnerabilities that could lead to a breach. Our services include:

For more on how parent companies can register their employees as exempt under this rule, refer to:

We recommend involving your legal team to confirm that they agree with our interpretation of the rule clarification.

For more information, contact Chad Neale at or your regular ACA consultant.