New York Amends Cyber Security Proposal

January 3, 2017 at 9:51 am Leave a comment

cyberI’m back and ready for  a year that promises to be  a blogger’s dream come true.

On December 28th, New York’s Department of Financial Services reissued its proposed Cybersecurity Program Requirements which are to be phased in starting in March.

Although the amendments are designed to clarify that entities covered by these regulations (a category that would include state chartered credit unions and CUSOS incorporated pursuant to State Law) can develop policies that reflect individual risk assessments, it remains to be seen whether these changes will go far enough to assuage the concerns of insurance companies, banks and credit unions that will have to comply with these “First in the Nation “requirements.  Remember these regulations only apply to state chartered institutions, but may very well provide a template for other states across the nation.

First the good news. The exemption from these regulations (proposed section 500.19) has been expanded; it now includes an organization with fewer than 10 employees or less than $ 5,000,000 in gross revenue in the last three years. The previous exemption only applied to entities with fewer than 1,000 customers in each of the last three calendar years.

The proposed regulation has also been amended to clarify that an organization’s policies and programs are to be based on its risk assessment. While this helps, the Department refused to clarify the extent to which compliance with federal standards can satisfy these regulations.

The amendments also clarify that a covered entity can satisfy these regulations by using an affiliate’s cybersecurity program. In other words, a state charter with a CUSO can use a single program so long as it applies to both entities.

A huge issue, particularly for larger institutions, is the state’s proposals requiring institutions to encrypt nonpublic information that is not being transmitted. I have conversed with a couple of techies about this. They argue that when information is being stored on a secured system it shouldn’t be subjected to the same encryption requirements as data being transmitted. Show revised section 500.15 to your IT people and see if the proposed changes go far enough to address these concerns.  Yours truly is by no means an IT expert, nor does he play one on TV.

There is still plenty in here to make institutions moan. For example, covered entities will still have to have to undergo cybersecurity training.

Happy New Year!


Entry filed under: New York State, Regulatory, technology. Tags: .

Six Things To Ponder Over The Holiday Time to Close The Lawyer BSA Loophole?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 503 other followers