January 10, 2019

At the tail end of 2018, the New York Department of Financial Services (NYDFS) provided an important piece of clarification on its Cybersecurity Rule. In email notifications that went out on December 31, 2018, the NYDFS made clear that companies would not just have to file the Notice of Exemption once, but annually, meaning businesses will need to re-file their Notice of Exemption if they wish to keep their exempt status in 2019. Click here to access the full memo prepared by our legal team at Steptoe & Johnson.

The Notice of Exemption is distinct from the Certificate of Compliance each covered entity under the NYDFS rule is obligated to file each year. Furthermore, the Notice of Exemption must be filed before the Certificate of Compliance due February 15, 2019. It is thus highly recommended that companies file their Notices of Exemption in time for the NYDFS to receive and process them before the Certificate of Compliance deadline in mid-February.

When the NYDFS Cybersecurity Rule was first promulgated, it laid out several exemptions that a company could claim under a Notice of Exemption filed with the NYDFS. Each company with (exemptions paraphrased; see §500.19 of the rule for a more detailed look):

  • fewer than 10 employees, or
  • less than $5,000,000 in gross annual revenue, or
  • less than $10,000,000 in year-end total assets

Can file for exemption from the requirements of the rule as long as the company submits the Notice of Exemption before the appropriate deadline. The Notice of Exemption and the Certificate of Compliance are both electronic forms that can be submitted through the NYDFS cybersecurity portal. A link to further information about filing as well as access to the portal itself can be found here.