It’s Alive! New York Finalizes Cybersecurity Regulations

February 17, 2017 at 9:59 am 3 comments


There were three developments yesterday afternoon that will make today much more interesting for you.

First, the Cuomo Administration announced in banner headline font that it had finalized its first in the nation Cybersecurity Regulations. Secondly, the fate of CFPB director Richard Cordray and the future structure of the bureau he oversees was thrown into further doubt when the Court of Appeals for the DC Circuit decided to reconsider the circuit’s earlier ruling that, as currently structured the bureau is unconstitutional. The decision means that a larger group of judges will hear the appeal. It also means that the earlier ruling making the director an at-will employee is no longer effective. Last but not least, New York’s Industrial Board of Appeals has invalidated New York State regulations scheduled to take effect March 7th that would have required New York State employers to provide additional disclosures when setting up direct deposit programs and place restrictions on employers who pay their employees with payroll cards. Each of these is worthy of its own blog, but because of time and space I am going to concentrate my efforts on the new cybersecurity regulations. Here goes:

The purpose of NY’s Cybersecurity Regulations is to mandate that all businesses “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under The Banking law, The Insurance law or The Financial Services Law” of New York State develop comprehensive policies and procedures to protect business related non-public information.

As one of my more astute blog readers pointed out when I previously wrote about this proposal, don’t assume that simply because you are federally chartered you don’t have to comply with this regulation. The state is trying to cast as broad a net as possible. As a result, it is clear that not only state chartered credit unions will have to comply with this regulation, but also credit union affiliates, including mortgage and insurance related CUSOs of federal charters.

Furthermore, the regulation could also apply to your third-party vendors. I would suggest that you forward this information to your existing vendors if their activities involve non-public information.

What remains to be seen is if the regulation is written broadly enough and with the intention to encompass federal charters, which may for one reason or another, need to register with the state. The regulation takes effect in March, but its mandates are phased in between six months and two years. Finally, the final regulation expanded the size and scope of institutions that are partially exempt. Take a look at new Section 500.19 to see if your credit union is one of the lucky ones.

I will be back on Tuesday. Enjoy the long weekend.

Entry filed under: General.

Credit Unions Could Provide Cost-Free Mandate Relief GPS Kill Switches Finally Getting Increased Scrutiny

3 Comments Add your own

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other followers


%d bloggers like this: