It’s Alive! New York Finalizes Cybersecurity Regulations
There were three developments yesterday afternoon that will make today much more interesting for you.
First, the Cuomo Administration announced in banner headline font that it had finalized its first in the nation Cybersecurity Regulations. Secondly, the fate of CFPB director Richard Cordray and the future structure of the bureau he oversees was thrown into further doubt when the Court of Appeals for the DC Circuit decided to reconsider the circuit’s earlier ruling that, as currently structured the bureau is unconstitutional. The decision means that a larger group of judges will hear the appeal. It also means that the earlier ruling making the director an at-will employee is no longer effective. Last but not least, New York’s Industrial Board of Appeals has invalidated New York State regulations scheduled to take effect March 7th that would have required New York State employers to provide additional disclosures when setting up direct deposit programs and place restrictions on employers who pay their employees with payroll cards. Each of these is worthy of its own blog, but because of time and space I am going to concentrate my efforts on the new cybersecurity regulations. Here goes:
The purpose of NY’s Cybersecurity Regulations is to mandate that all businesses “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under The Banking law, The Insurance law or The Financial Services Law” of New York State develop comprehensive policies and procedures to protect business related non-public information.
As one of my more astute blog readers pointed out when I previously wrote about this proposal, don’t assume that simply because you are federally chartered you don’t have to comply with this regulation. The state is trying to cast as broad a net as possible. As a result, it is clear that not only state chartered credit unions will have to comply with this regulation, but also credit union affiliates, including mortgage and insurance related CUSOs of federal charters.
Furthermore, the regulation could also apply to your third-party vendors. I would suggest that you forward this information to your existing vendors if their activities involve non-public information.
What remains to be seen is if the regulation is written broadly enough and with the intention to encompass federal charters, which may for one reason or another, need to register with the state. The regulation takes effect in March, but its mandates are phased in between six months and two years. Finally, the final regulation expanded the size and scope of institutions that are partially exempt. Take a look at new Section 500.19 to see if your credit union is one of the lucky ones.
I will be back on Tuesday. Enjoy the long weekend.
Entry filed under: General.