NYDFS Extends Cybersecurity Regulation to Credit Reporting Agencies
Credit bureaus that operate in New York will have to fall in line with NYDFS's rigid cybersecurity rules by November in order to avoid stiff penalties and heavy fines.
The New York State Department of Financial Services' (NYDFS) Cybersecurity Regulation isn't just for big banks anymore.
Every credit reporting agency that operates in the Empire State will be required to register with the NYDFS as a Covered Entity and comply with its rigid cybersecurity standard beginning November 1.
The NYDFS’ Cybersecurity Regulation, also known as 23 NYCRR Part 500, went into effect in August last year. It requires Covered Entities to implement and maintain a comprehensive cybersecurity policy, enact controls, encrypt sensitive data, complete certification every year to comply with the regulations, deploy multi-factor authentication, and carry out incident reporting. The regulation traditionally applies to financial service companies like state-chartered banks, foreign banks licensed to operate in the state, mortgage companies, and insurance providers. It was designed to help thwart data breaches across the industry and is universally viewed as one of the strongest cybersecurity regulations on the book in the U.S.
The state’s Governor Andrew M. Cuomo announced the regulation imposed on consumer credit reporting agencies, dubbed 23 NYCRR 201, (.PDF) on Monday.
There's technically a threshold credit reporting agencies need to attain in order to conform to the regulation. Specifically, agencies that reported on 1,000 or more New York consumers in the preceding years need to register annually with the NYDFS “beginning on or before September 1, 2018, and by February 1 of each successive year for the calendar year thereafter,” according to an announcement on the NYDFS’ site. Consumer credit reporting agencies will have until November 1, 2018 to comply.
The agencies will have three other deadlines, February 28, 2019, August 31, 2019, and December 31, 2019, to comply with additional requirements like 23 NYCRR 500's Limitations on Data Retention policy, Risk Assessement Policy, and its Third Party Service Provider Security Policy.
Digital Guardian for Financial Services
As part of the new regulation, NYDFS' Superintendent, Maria T. Vullo, will be able to deny, suspend and in some cases, revoke a credit reporting agency's ability to do business with financial institutions if they fail to comply. Failure to comply in this instance could be marked by defrauding or misleading consumers, engaging in unfair, deceptive, or predatory acts.
The regulation brings to fruition a proposal initially Cuomo and Vullo floated last September, shortly after the breach was disclosed.
Under the regulation, financial services companies - including credit reporting agencies by November - have to:
- Have a cybersecurity program designed to protect consumers' private data
- Have a written policy or policies that are approved by the board or a senior officer
- A Chief Information Security Officer to help protect data and systems
- Controls and plans in place to help ensure the safety and soundness of New York's financial services industry.
- Ensure data is protected from third-party vendors
- The filing with DFS of an annual certification of compliance.
It should come as no surprise that the regulation was largely spurred by last year's massive Equifax breach, an incident that exposed the personal information of 147.9 million U.S. consumers last fall.
“The data breach at Equifax demonstrated the absolute necessity of strong state regulation, such as New York's first-in-the-nation cybersecurity regulation, to safeguard New York's markets, consumers and sensitive information from cyberattacks," Vullo said in a release trumpeting the regulation, “DFS's oversight of credit reporting agencies will help to ensure that the personal data of New York consumers is less vulnerable to cyberattacks in this digital world, in order to prevent further breaches of consumer financial information."