18
(b) An employee, agent, wholly owned subsidiary, representative or designee of a covered entity,
who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity
program to the extent that the employee, agent, wholly owned subsidiary, representative or
designee is covered by the cybersecurity program of the covered entity.
(c) A covered entity that does not directly or indirectly operate, maintain, utilize or control any
information systems, and that does not, and is not required to, directly or indirectly control, own,
access, generate, receive or possess nonpublic information shall be exempt from the requirements
of sections 500.2, 500.3, 500.4, 500.5, 500.6, 500.7, 500.8, 500.10, 500.12, 500.14, 500.15 and
500.16 of this Part.
(d) A covered entity under article 70 of the Insurance Law that does not and is not required to
directly or indirectly control, own, access, generate, receive or possess nonpublic information other
than information relating to its corporate parent company (or affiliates) shall be exempt from the
requirements of sections 500.2, 500.3, 500.4, 500.5, 500.6, 500.7, 500.8, 500.10, 500.12, 500.14,
500.15 and 500.16 of this Part.
(e) An individual insurance broker subject to Insurance Law section 2104 who qualifies for the
exemption pursuant to section 500.19(c) of this Part and has not, for any compensation,
commission or other thing of value, acted or aided in any manner in soliciting, negotiating or
selling any policy or contract or in placing risks or taking out insurance on behalf of another person
for at least one year shall be exempt from the requirements of this Part, provided such individuals
do not otherwise qualify as a covered entity for purposes of this Part.
[(e)] (f) A covered entity that qualifies for any of the above exemptions pursuant to this section
shall file electronically a Notice of Exemption in the form set forth [as Appendix B of this Title]
on the department’s website within 30 days of the determination that the covered entity is exempt.
[(f)] (g) The following persons are exempt from the requirements of this Part, provided such
persons do not otherwise qualify as a covered entity for purposes of this Part: persons subject to
Insurance Law section 1110; persons subject to Insurance Law section 5904; [and] any accredited
reinsurer [or], certified reinsurer or reciprocal jurisdiction reinsurer that has been [accredited or
certified] so recognized pursuant to 11 NYCRR Part 125; individual insurance agents who are
placed in inactive status under Insurance Law section 2103; and individual licensees placed in
inactive status under Banking Law section 599-i.
[(g)] (h) In the event that a covered entity[, as of its most recent fiscal year end,] ceases to qualify
for an exemption, such covered entity shall have 180 days from [such fiscal year end] the date that
it ceases to so qualify to comply with all applicable requirements of this Part.
Section 500.20 is amended to read as follows:
(a) This regulation will be enforced by the superintendent pursuant to, and is not intended to limit,
the superintendent’s authority under any applicable laws.