Click here to read the regulations.
While most Loan Originators and SOME companies are entirely exempt from NYSDFS CyberSecurity Section 500 Filing Requirements, MOST companies must file, though small companies will have significant exemptions.
Updated Rubric
Our updated rubric (2-90 NY Certificate of Compliance) shows 3 columns from the exemptions listed in section 500.22.
a.) Exemption - if you are a small company with under 20 employees, and less than $7.5 MM in revenue, and less than $15MM in assets, you receive the exemptions in column a.)
b.) Exemption - if you 100% work or contract with someone else who complies, you receive a total exemption
c.) Exemption - if you do not own the infrastructure, such as the application, network, website or any other technology you use to work with customer information, you have this additional exemption. This is important, because without this, you must install Multi-factor Authentication across your entire platform. Further, you are required to have penetration testing.
Examiners continue to ask for Penetration Testing
You must escalate this request to the service provider. For instance, if your technology is an Xfinity modem/router, you must request evidence of penetration testing from Xfinity. If you use Blink, Point, Lending Pad, or ANY OTHER LOS, you must ensure they have conducted penetration testing. Get the certification from THEM. THEY MUST, as NY Licensees, comply with the law.
Download Updated 2-90-NY Certificate of Compliance Worksheet In Excel Format
Ordinarily, we sell the NY CyberSecurity Compliance Plan as a separate service. Within it are the rubrics for completing your filing.