An important deadline is quickly approaching for every individual and insurance agency licensed to operate in New York State.

Earlier this year, the New York Department of Financial Services (NYDFS) promulgated a data security regulation that will take effect in stages over the next two years. Elements of the regulation are already in effect, and all agencies and individual agents licensed in the state—including nonresidents—now face new reporting obligations.

The most immediate deadline is this upcoming Monday, Oct. 30. Agencies and individuals that seek an exemption from all or some of the regulation’s mandates must provide notice to NYDFS as follows: 

For agencies: Every resident and nonresident insurance agency holding a New York license is subject to most of the requirements imposed by the new regulation. However, a series of additional requirements applies to a small universe of larger entities. An entity must comply with the additional mandates unless it has 1) fewer than 10 employees—including independent contractors—located in New York or responsible for the entity’s business; 2) less than $5 million in gross annual revenue from New York business operations; or 3) less than $10 million in year-end total assets.

Most independent agencies will satisfy one of these three criteria and be exempt from the extra requirements, but New York regulators nevertheless require such entities to file a notice of limited exemption with the state. In short, any New York-licensed insurance agency that qualifies for the limited exemption and does not want to be subject to the heightened requirements must file a notice with the state.

For individual agents: Individual agents who are covered by the cybersecurity program of another covered entity—such as their affiliated insurance agency—can qualify for a full exemption from the regulation, but must file a similar notice with the state. Since developing a cybersecurity program is an enterprise-level endeavor, almost all individual  agents  rely on their agencies to institute a program that satisfies the regulation’s obligations. In order to eliminate the possibility of being deemed non-compliant and fined, all New York-licensed insurance agents who are covered by cybersecurity program of their agencies will want to satisfy this reporting requirement.

Both the agency and individual agent filings described above must be made through an online portal located on the NYDFS website, and the process requires establishing an online account. Big I New York has developed helpful materials that explain these filing requirements and the underlying regulation. 

The exemption filings described here need only be submitted once, but they must be made by Oct. 30. If circumstances change and either the agency or individual agent no longer qualifies for an exemption, they will have 180 days to comply with the all applicable elements of the regulation. In addition to the exemption filing requirements, covered entities must also satisfy a separate annual “certificate of compliance” filing requirement beginning on Feb. 15, 2018. This annual compliance filing will also be made through the NYDFS online portal.

Wes Bissett is the Big “I” senior counsel of government affairs.