New York State Proposes Key Amendments to Cybersecurity Reg

Late this past Friday, New York’s Department of Financial Services provided a notice of proposed amendments to the Department’s Cybersecurity Regulation (23 NYCRR 500).  This regulation applies to any state licensed or regulated institution and their affiliates.

These proposed changes are a big deal.  In 2017, New York promulgated its “first in the nation” – New York loves to be first– Cybersecurity Regulation which goes far beyond existing federal requirements.  Every year, state regulated institutions must certify that they are complying with this framework. As readers of this blog know, the State has moved aggressively against entities that have violated its provisions. 

Much of the proposal builds on existing requirements.  For example, regulated entities must already perform cybersecurity risk assessments, but the enhanced regulation will make this requirement more prescriptive by detailing that the assessments take into account “the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place”.  

Regulated institutions must already have a Chief Information Security Officer (CISO).  This regulation further enhances the centrality of this role by mandating that CISOs “have adequate independence and authority to ensure cybersecurity risks are appropriately managed”.  This is incredibly general language to put in a regulation and at the very least should trigger a review of your credit union’s org chart. 

The existing regulation mandates penetration testing.  These changes mandate, among other things, that these tests be performed by a qualified independent party. 

But wait, there’s more.  I’m assuming that many of you already do this, but now you’ll be explicitly required to “implement written policies [and] procedures designed to ensure a complete, accurate, and documented asset inventory”.

As I already mentioned, the Department requires regulated entities to certify on an annual basis that they are complying with this regulation.  These certifications should not be taken lightly.  The proposed regulation includes new provisions in which entities will be asked to acknowledge if parts of their program don’t comply with this regulation.  Entities will have to provide a timeline for correcting these shortcomings. 

Larger regulated entities would be classified as Class A companies and subject to additional regulatory requirements:

  • Class A companies would be regulated entities with:
    • (1) over 2,000 employees, including those of both the covered entity and all of its affiliates no matter where located; or
    • (2) over $1,000,000,000 in gross annual revenue averaged over the last three fiscal years from all business operations of the covered entity and all of its affiliates.

There is more yours truly could discuss about this proposal, but time and space are running short.  Please designate someone to review these changes.  Remember, even if you’re not a state-chartered institution, New York’s regulation has had a nation-wide impact on cybersecurity standards.

On that note, I am off to the Long Island shorefront.  Enjoy your weekend.

August 4, 2022 at 12:13 pm Leave a comment

Accounting And Cyber Security Highlight The Summer Regulatory Season

I have some depressing news for you all: It’s August, which means that before you know it, it will be September, and all those things that you have been putting off until the fall will have to get accomplished. 

On that inspiring note, there are some recent developments that I wanted to make you aware of as you continue to sip your gin-and-tonic. 

First, with the caveat that yours truly knows just enough about accounting to know he doesn’t know all that much about accounting, I think you should all take a look at guidance proposed by NCUA and its fellow financial regulators which would for the first time since 2009 update accounting and regulatory principals related to troubled commercial real estate loans.  Even if you don’t deal with commercial real estate, this proposed guidance is a good example of how the advent of CECL will impact the way credit unions with $10M or more in assets will account for troubled debts under GAAP. 

Most importantly, in March of this year the accounting board changed how financial institutions will account for delinquent loans.  The erstwhile TDR is going away.  Ultimately, by the end of 2023, all credit unions subject to GAAP will have to adopt this new standard and the proposed guidance explains how the new accounting approach will impact creditors during and after the transition to the new standard.  Besides the financial regulators have not issued guidance in this area since 2009, and for those of you with commercial real estate the new changes come just in time for the next recession. 

Secondly, NCUA also joined its other financial regulators in issuing a proposed regulation mandating that federally insured credit unions have no more than 72 hours to report a suspected cyber incident.

The proposal would define a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.”

This is certainly worthy of its own blog, so stay tuned. 

August 3, 2022 at 9:53 am 1 comment

News Flash– Washington Working!

Nothing focuses the mind like fear, and it appears that as Democrats look over the horizon at an election contested against the backdrop of runaway inflation and an increasingly likely recession (the 70s are calling) and some Republicans wanting to campaign on more than conspiracy theories and hot-button social issues, DC is finding a way to break through some of the roadblocks that have all but paralyzed Congress in recent years.  Here’s some initial thoughts for credit unions on some of the latest developments. 

Yesterday, Senator Joe Manchin of West Virginia and New York’s Chuck Schumer announced that they had reached an agreement on a package of budget measures which would, among other things implement major corporate tax reform.  If this comes to fruition, this is almost as big an announcement as Ben Affleck and Jennifer Lopez getting married in Vegas after their long and sometimes tumultuous courtship.  Under the plan, for-profit corporations with one billion dollars or more in profits for three consecutive years will have to pay a minimum tax of 15%.

Don’t get me wrong, this has nothing to do with credit unions and if all goes according to the plan, it won’t.  But whenever Washington starts taking about major tax reform and deficit reduction, it’s time to sharpen our talking points lest because you can bet banking lobbyist are already suggesting how Congress can save even more money.  Afterall, longtime credit union lobbyists remember how Congress seriously considered doing away with the tax exemption as part of the 1986 tax reform measure.

Incidentally, the minimum corporate tax would also not apply to C-corporations which are a way for some banks to avoid paying corporate level taxes.  Instead, taxes are paid by individual shareholders.

Also yesterday, the House Financial Services Committee marked-up New York Congresswoman Maloney’s erstwhile proposal to limit overdraft fees.  According to the American Banker, the debate was a lively one with Republicans sharply critical of the proposal.  The debate comes at a time when overdraft practices are being scrutinized by New York’s Department of Financial Services and court ordered Congressional lines have placed the Congresswoman in the middle of a primary election which reminds me of one of those college parties which get out of control because too many people just assume they’re invited.

Last, but not least, explaining that it was “highly attentive” to inflation risks and “strongly committed” to taming the beast, the Fed announced that it was raising the Fed Fund rates by another 75 basis points marking its continued effort to close the barn door on inflation long after the horse has gotten away.  The wunderkinds of Wall Street responded to the news by sending the Dow Jones industrial average up more than 400 points.  While this is good news for my retirement fund, they might want to look back at history: the Fed has never been able to tame this level of inflation without triggering a recession, a recession that will take place as more and more smaller credit unions are merging out of existence. 

On that happy note, enjoy the rest of your day.

July 28, 2022 at 9:54 am Leave a comment

NSF Liability Hinges On A Few Key Words

Overdraft and NSF litigation is all the rage.  A recent decision by New York’s federal district court In Manhattan demonstrates how subtle differences in account agreements can make all the difference when it comes to potentially costly class action litigation.  

The following language was applicable to Municipal’s FasTrack Checking Account as outlined in its account agreement.

“NSF Fee: Each time an ACH debit request or bill payment you authorize, or check (share draft) you draw, is presented and returned as unpayable for any reason, a $32.00 service charge will be assessed.” Thompson v. Municipal Credit Union, 2022 WL 2717303, at *6 (S.D.N.Y., 2022)

Municipal, like so many larger credit unions, was sued by a member who claimed that the credit union violated the terms of its account agreement every time it charged an NSF fee for multiple ACH presentments for the same item.  In all this litigation, the legal issue is not whether multiple NSF charges can be levied but whether or not the language adequately explains when multiple NSF fees will be charged.  The good news is that a fair amount of case law involving this issue now provides some bright line guidance of which the Municipal case is the latest example.

Last week, a court dismissed the lawsuit against Municipal.  Its reasoning is worth examining for anyone responsible for making sure your account agreement adequately protects your credit union.  First, the court found that the agreement was structured in a way that made it clear to members which fees applied to which products.  For example, the above cited language was included specifically in the description of the FastTrack Account product.  

Secondly, plaintiff argued, as is typical in these cases, that the account agreement was ambiguous.  As I explained in this blog, they contend members are not given adequate notice that multiple NSF fees may result from a single merchant transaction because merchants may make multiple ACH payment requests for the same transaction or item.  Municipal’s language doesn’t even refer to an item.  It is a model of grammatical simplicity that would warm the heart of any 5th grade English teacher. 

“The Court need not consider whether the “per item” language is ambiguous. The NSF language applicable to FasTrack Checking Accounts is unambiguous and permits Defendant to assess a new fee each time a debit request or check is presented for payment, regardless whether that same debit request or check previously has been presented for payment and rejected for insufficient funds.”

Incidentally, this case was decided within days of DFS’s Overdraft/NSF Guidance imposing more disclosure requirements on state charters than would otherwise be required.  For example, state charters are now expected to provide NSF disclosures with each account statement and a direct point of contact. 

There is a lot going on in this space both legally and regulatorily, so this week please join yours truly and my Compliance Compadres as we discuss the latest developments in overdraft and NSF fee regulations, litigation, and legislation on Wednesday July 27th at 10:00am.  You can register at 2022 First Look Webinar: Overdraft Under the Microscope.

July 25, 2022 at 9:48 am Leave a comment

Time To Take A Second Look At NY’s Excelsior Linked Deposit Program

In life and politics, timing is everything.

In 2021, New York credit unions achieved a major victory when legislation was passed finally allowing both federally and state-chartered credit unions to participate in the Excelsior Linked Deposit Program (LDP).  Under this program, the state subsidizes the cost of small business loans to qualifying small businesses by providing state funds to lending institutions in return for reducing the interest rate charged to the qualifying business. 

For years the banks had argued that credit unions shouldn’t be allowed to help these small businesses because participating credit unions would receive public funds.  As a result, financial Armageddon would come to New York State with community banks dying away quicker than the dinosaurs. 

The catch is that in 1993 we were experiencing the tail end of a high interest rate cycle.  For example, the yield on the Federal Fund Rate was 3.02% and the average 30-year mortgage rate was 7.31%.  Fast forward to 2021, the Federal Fund Rate was 0.08% and mortgage rates were 2.96%.  Needless to say, more than a few credit unions ran the math and questioned the utility of this product. 

So, I’m just here to remind you this morning that with interest rates heading towards levels we haven’t seen since at least the late 80’s, now is the time to take a second look at the Excelsior Linked Deposit Program.  It is a great way to help qualifying businesses at a time when we need to be providing all the help we can and enables credit unions to offer access to a lending product that can help develop their small business lending portfolios while at the same time demonstrating that giving credit unions access to public deposits is a good thing for consumers. 

Here is an example, provided by New York State’s LDP Office, of how the program works:

Loan Amount: $87,000  (e.g. purchase of a business vehicle)

• Loan Term: 5 years

• Regular Bank Rate: 4.96%

• 4 Year CD Rate: 1.25%

• Linked Deposit Interest Rate: 3.71%

• Total Savings Over 4 Years: $2,819

If you are interested in finding out more about the program, and I know after reading this pithy blog, you are, you can give the Association a call or you can go to the ESD/LDP web page: http://esd.ny.gov/BusinessPrograms/LinkedDeposit.html

On that note, stay cool.

July 21, 2022 at 9:12 am Leave a comment

Hey Alexa, Should I Be Letting My Members Use You For Their Banking?

Hello Folks.  Although there are several issues yours truly could blog about this morning, I’ve decided to give you a heads-up about some of the key legal issues to consider as your credit union ponders the extent to which it should allow your members to utilize personal technology assistance such as Google’s Nest, Amazon’s Alexa, and Apple’s Siri.  Incidentally, your members are going to insist on using the technology whether or not your credit union likes the idea or not.

For purposes of this blog, I will be generically referring to Alexa because it is my toy of choice and I love to hear it come to life every other second as I write this blog.  Secondly, voice assistance offer “skills” which are analogous to apps on your smart phone. Just as your credit union may choose to integrate certain apps into your core system, it also has the option of integrating a broad range of banking services into your technology. Everything I’m writing here is assuming that your credit union has not developed its own technology or contracted directly with “financial skill” vendors.

Many credit unions have wrestled with the legal and compliance issues surrounding payment platforms such as PayPal and I expect there to be even greater confusion surrounding Alexa banking services.  In the short term, this means that the most important thing your credit union can do from a legal and compliance standpoint is to understand the risk environment and to minimize those risks in the terms and conditions to which your members must agree as part of using these services. 

Fortunately, NACHA has provided a great resource which I recently got around to reading and which inspired this blog.  In April, NACHA’s Payments Innovation Alliance released  “Voice Payments: Contractual Considerations for Financial Institutions” which is a must read for any compliance officer or counsel delving into this space for the first time.  It highlights the following areas that should be taken into account when developing contract language in this area.  These considerations include:

  1. Incorporating Alexa’s payment skills terms and conditions into your agreement as a way of putting the member on notice that you have no relationship with the third party service that might be providing this skill.  It also puts members on notice that they have certain obligations, such as appropriate settings, over which your credit union has no control.
  2. As much as I love my Alexa, it is also as intrusive as any technology envisioned by George Orwell in 1984.  For example, unless you have changed the settings, just about anything you say is being recorded.  As a result, making sure your member is put on notice of privacy considerations is crucial.  In addition, your privacy policy should be updated to reflect the use of this technology. Sample language provides in part: “Voice payment program technology may record your interactions for quality assurance purposes, and your use of the voice payment program constitutes consent to being recorded.”  In addition, keep in mind that there are states such as Illinois which have incorporated biometric privacy protections into statute.  Expect the number of these laws to continue to grow.
  3. Make members responsible for baseline cyber security protections.  Like any other transaction conducted over the internet, voice banking will only be as secure from hackers as the technology used to facilitate it.  This means that your contract language should stipulate that the member uses it over a secure network. Similarly, your credit union should of course use commercially reasonable efforts to protect this data.
  4. Now we get to the legal issue that yours truly is most intrigued by.  What happens when $3,000 is taken out of your member’s account but your member swears he only asked for $300 to be withdrawn?  In truth, we won’t know the answer to this conundrum until the courts and regulators begin deciding cases.  But in the meantime, this sample language provides you with some language to consider as you draft your own agreements.  “Your smart device and the voice recognition software were designed and manufactured by a third party. The financial institution does not control or update your device or its software. It is possible that a defect or malfunction with the device or software could result in inaccurate transactions and cause potential harm to you. By accepting these Terms, you understand and agree that the financial institution is not responsible for inaccuracies that are the result of the device or software. Please refer to your online account information to confirm that your voice payment command is accurate.”

What is the moral of this story?  We are in the early stages of implementing yet more transformative technology.  This is when contracts are most important.  As you decide whether to use Google, Alexa or Siri, understand your risks and invest in a lawyer familiar with these issues to draft your contracts. 

July 19, 2022 at 9:56 am Leave a comment

NY’s DFS Declares Certain Overdraft Practices To Be Unfair And Deceptive

New York’s Department of Financial Services took an aggressive stand against certain overdraft and NSF practices yesterday, issuing a guidance  prohibiting state regulated institutions from continuing to offer certain types of overdraft services. 

While the DFS’s guidance just applies to state regulated institutions, federal credit unions should pay attention to this development as New York often is a bellwether for the sentiments of other blue state regulators and the CFPB is continuing to examine so-called “junk fees”. 

In the guidance, the DFS provided notice to state-chartered institutions that examiners would be penalizing credit unions that engage in any one of the following practices:

  • Overdraft Fees Relating to Authorize Positive, Settle Negative (“APSN”) Transactions
  • Double Fees Arising from Futile Overdraft Protection Transfers
  • NSF Fees Relating to Representments

Impacted institutions should immediately examine their existing core processor systems to see how they process their payments.  For example, if your credit union uses a batch system and settles transactions hours or days after they have been authorized, you will have to make changes to your system.  This is just one basic example of the operational issues raised by this guidance.   

Because the state issued a guidance as opposed to a regulation following a public comment period, there are other important compliance issues not specifically addressed in the state’s pronouncement.  For example, the guidance does not address how financial institutions should comply with the Authorized Positive Settle Negative prohibition when the initial debit transaction does not reflect the amount the be charged to the member.  In contrast, when the Federal Reserve issued regulations implementing overdraft opt-in requirements for debit transactions more than a decade ago, it recognized that there are situations when it is impossible to know what the size of a debit is going to be at the time it is made [Electronic Fund Transfers, 74 FR 5212-01]. For example, when a member uses a debit card at a gas station, a hold is put on the transaction which may or may not reflect the amount of money ultimately charged; a spouse filling-up her Acura is going to be paying less than the spouse filling up the SUV.  The guidance does not explain how financial institutions should address these discrepancies. 

DFS is presumably interpreting the authority of state regulators to utilize UDAAP powers granted under the Dodd-Frank Act as outlined in a recent opinion letter issued by the CFPB.  But given the importance of the issues that DFS is addressing, one would hope that additional guidance explaining their legal rationale would be forthcoming.  This is all the more important in New York where the Attorney General, and not the DFS, has UDAAP authority.

What we know for sure is that the relative handful of credit unions in New York that choose to be chartered by the state now face a host of compliance issues which their counterparts regulated exclusively by the NCUA do not.

July 13, 2022 at 10:55 am Leave a comment

FinCen Stresses What You Already Know: All Members Aren’t the Same

Yours truly has been light on the blogs lately.  But rest assured, I have used this time to contemplate the big questions of life.  These include, in no particular order:

  • Is the Yankee pitching really that good?  The answer is no.
  • Why isn’t Tom Hanks getting more critical acclaim for his portrayal of Colonel Tom Parker in Elvis?
  • What changes, if any, should your credit union make in response to two recent notices issued by FinCen and federal regulators reinforcing existing law regarding the flexibility financial institutions have to provide account services to businesses in high risk industries?  I’m going to go out on a limb and assume that you are reading this blog because you expect to get information about FinCen, so here goes.

On July 6, 2022 FinCen, the NCUA and the other federal banking regulators that have oversight over the BSA/AML issued this letter “reinforcing” existing regulations by explaining that “not all customers of a particular type automatically represent a uniformly higher risk of money laundering, terrorist financing, or other illicit financial activities.”  This notice follows a similarly worded guidance issued by FinCen in June explaining to banks and credit unions that they are not categorically prohibited from providing banking services to independent ATM owners and operators.  In providing the latter guidance, FinCen stressed, as it has in the past, that these institutions often provide important services for underserved communities. 

The regulators go on to explain that when conducting appropriate and ongoing customer due diligence, financial institutions should consider the unique characteristics of each business and not just the overall risk posed by a given industry.  “More specifically, banks must adopt appropriate risk-based procedures for conducting ongoing CDD that, among other things, enable banks to: (i) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and (ii) conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”

Now here’s why yours truly has been a little hesitant to comment on these pronouncements.  There is nothing in either of them that signals a new approach or interpretation of existing regulations.  In fact, I think both guidances have the ability to create more confusion when it comes to doing CDD for high risk industries.  Most importantly, there are certain industries that do pose greater challenges for BSA/AML compliance in general and CDD specifically.  For example, marijuana related businesses are cash sensitive enterprises that can be perfectly legal or entirely illegal based on the THC level of a producers crop.  In addition, some commercial businesses have complicated structures that make it extremely difficult to identify a beneficial owner.  If you are going to provide services to these industries, you better have the resources to do it properly or the same group of regulators that issued these guidances will be knocking at your door. 

Which leads me to wonder why the regulators felt the need to come out with these missives in the first place.  Pure speculation on my part, but I can’t help but think that these regulators want to preemptively assure politicians on both the left and the right that they won’t be encouraging financial institutions to pick sides in the culture wars.  Remember Operation Chokepoint when the Justice Department was questioning why financial institutions provided banking services to legal businesses they didn’t like such as gun dealers?  On that note, enjoy your day.  For those of you interested, it is a beautiful day on Long Island.

July 11, 2022 at 9:47 am Leave a comment

Did the Supreme Court Just Make it Harder to Regulate the Banking Industry?

As one of the most heavily regulated industries in the country, how the Courts are interpreting regulations is a big deal.  So when the Supreme Court articulates a new doctrine in ruling that a major federal agency lacks the authority to promulgate high profile regulations, it’s certainly a case of which industry lawyers should take note.

Among its closing flurry of cases decided by the Supreme Court last week was West Virginia v. EPA (West Virginia v. Environmental Protection Agency, 2022 WL 2347278. In this case, the court ruled that EPA lacked the statutory authority to promulgate industry wide emission caps on power plants.  But for our purposes, what it did is not as important as the rationale it used in reaching its decision.  In other words, I’m not writing this blog to debate climate change or the best way to regulate global warming; I’m writing it because the same legal principles articulated by the Court could have an impact on virtually every high profile regulatory dispute for decades to come. 

As readers of this blog know, I have been noting for a while that federal courts are growing increasingly frustrated by the expansive authority given to federal agencies under arguably poorly written federal statutes.  For decades, when courts have been confronted with a challenge to a new regulation, the first question they ask themselves is whether the statute is clear enough to make the regulation unnecessary and if it is not, the court will generally defer to the agencies determination under so called Chevron deference.  This was the basic framework the Court of Appeals used when upholding NCUA’s expansive definition of local community for Field of Membership purposes. 

In the EPA case, the Court majority conceded that there was statutory language that arguably could be interpreted as permitting the EPA to promulgate its industry wide power plant regulations.  But the Court ruled that under what it termed the “major questions” doctrine, the Court will only recognize certain regulatory power if Congress is crystal clear in its delegation of authority.  In the EPA’s case, the Court reasoned that industry wide caps affecting large portions of the economy constituted a “major question.”  As a result, the EPA could not rely on a relatively obscure statute to exercise this power.  If Congress wanted the EPA to exercise this power, it would have been more clear.

Why is this potentially such a big deal?  Because it means that if an agency action is expansive enough, it could be challenged on grounds that given its importance, Congress should have spoken more clearly before the agency acted.  You can bet that the smart lawyers they have at the CFPB have already started skimming the Bureau’s enacting legislation to brace itself for challenges to its authority. 

Conversely, it is of course possible that the Court will limit its holding to this specific case, but I don’t think so.  As Justice Roberts explained in his majority opinion:  the “major question” doctrine was being used because  “it refers to an identifiable body of law that has developed over a series of significant cases all addressing a particular and recurring problem: agencies asserting highly consequential power beyond what Congress could reasonably be understood to have granted. Scholars and jurists have recognized the common threads between those decisions. So have we. See Utility Air, 573 U.S. at 324, 134 S.Ct. 2427 (citing Brown & Williamson and MCI); King v. Burwell, 576 U.S. 473, 486, 135 S.Ct. 2480, 192 L.Ed.2d 483 (2015) (citing Utility AirBrown & Williamson, and Gonzales).

The concerns raised by Justice Roberts are by no means unique to the EPA. 

July 5, 2022 at 8:43 am Leave a comment

Cybersecurity Fine Against Carnival Is A Reminder To Take Your Cybersecurity Obligations Seriously

New York’s Department of Financial Services recently announced the imposition of a $5M fine against Carnival Corporation and its subsidiaries for failing to promptly report a series of data breaches and ransomware attacks and providing inadequate cybersecurity training to its staff.  The fine is the latest example of how New York is aggressively pursuing actions against “covered entities” that don’t comply with New York’s cybersecurity regulations.

I’ve decided to use Carnival’s misfortune as a pretext for reminding you of New York’s regulations.  Even if you are not a “covered entity”, you would be well advised to be aware of New York’s mandates as they are playing a leading role in shaping industry expectations when it comes to cybersecurity programs. 

Under New York State’s regulations, a “covered entity” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” [23 CRR-NY 500.1(c)].  This definition means that state chartered institutions as well as CUSOs that are licensed by New York State must comply with this regulation.  For example, Carnival Corporation was licensed to provide insurance in New York State, a license it surrendered following this fine.

A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. [23 CRR-NY 500.1(d)]. 

Last, but not least, “covered entities” are responsible for implementing a cybersecurity framework which, at a minimum :

(1) Identifies and assesses internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems;

(2) Uses defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;

(3) Detects cybersecurity events;

(4) Responds to identified or detected cybersecurity events to mitigate any negative effects;

(5) Recovers from cybersecurity events and restore normal operations and services; and

(6) Fulfills applicable regulatory reporting obligations.

DFS’s latest action involved a series of data breaches and ransomware attacks against Carnival Corporation.  Carnival Corporation is a licensed insurance provider in New York State.  According to the Department, there were at least four separate cyber security incidents that were not reported to DFS within 72 hours as required under the regulations.  Covered entities must file notice of a cybersecurity event with the Department pursuant to the requirements of 23 NYCRR §§ 500.17(a)(1) and (a)(2). Section 500.17(a)(1) requires notice to the Superintendent, within 72 hours of determining there has been a cybersecurity event, when notices are “required to be provided to any government body, self-regulatory agency or any other supervisory body.” 

New York’s regulation also underscores why it is so important to understand the specific obligations in the states in which you operate.  New York has a particularly broad definition of what constitutes a reportable event since reporting obligations are triggered as soon as non-public information (NPI) is exposed to an unauthorized third party, regardless of whether or not there is evidence that the NPI was stolen or misused.  Furthermore, reporting obligations are triggered for any cybersecurity events “… that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity”.  This is a broad net and the Department has repeatedly demonstrated that it has little patience for entities that don’t follow the 72 hour mandate.

Carnival Corporation’s other mistakes shouldn’t surprise anyone responsible for overseeing their credit union’s operations in this space.   For example, there was a period during which employees with access to NPI did not have to use multifactor authentication. 

Finally, remember that every year now, every “covered entity” has an individual personally verify that it is complying with these regulations.  New York State’s latest action is the latest example of why you must take this verification seriously. 

June 28, 2022 at 10:34 am Leave a comment

Older Posts


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other followers

Archives