On June 25, 2018, the New York Department of Financial Services (NYDFS) issued a final regulation that requires any credit reporting agency (CRA) with “significant operations” in New York to register with the NYDFS and comply with the NYDFS cyber regulations under Part 500. CRAs must register by September 15, 2018. Significantly, as outlined below, CRAs also must begin complying with New York’s cyber regulations as early as November 1, 2018 – i.e., in four months.
By November 1, covered CRAs must have appointed a chief information security officer and have implemented a written cybersecurity program, including an incident response plan, that are designed to safeguard the confidentiality, integrity and availability of the organization’s information systems. Further, the CRA must base its cybersecurity program upon a conducted risk assessment, and it must have designed the program to enable the CRA to identify, detect, respond to and recover from a reportable “cybersecurity event.”
Under the regulations, CRAs will have a maximum of 72 hours to report a “cybersecurity event” to the NYDFS. This is a significant uptick from previous reporting requirements under New York law, which enabled CRAs to take weeks or even longer to report an event. Finally, and significantly, a member of the board of directors or a senior officer of each CRA now must certify annually to the NYDFS the agency’s compliance with the regulations. The first certification is due on February 15, 2019.
The new regulation also comes with teeth. Under Part 201.05, NYDFS has the authority to deny, suspend, or revoke a CRA’s license and ability to conduct business in New York if the agency:
- violates “any insurance, financial service, or banking laws”;
- violates “any regulation, subpoena or order of the superintendent”; or
- fails “to comply with the requirements of this Part, including but not limited to, section 201.07 of this Part concerning cybersecurity.”
Thus, the regulation enables the NYDFS to suspend or revoke a CRA’s license if the CRA fails to comply with the NYDFS’s cyber regulations, including a failure to certify annually its compliance under Part 500.17.
A timeline of CRAs’ compliance requirements under the cyber regulation is as follows:
- November 1, 2018: Sections 500.02, 5000.3, 500.04(a), 500.07, 500.10, 500.14(b), 500.16, and 500.17;
- February 29, 2019: Sections 500.4(b), 500.05, 500.09, 500.12, and 500.14(a)(2);
- August 31, 2019: Sections 500.06, 500.08, 500.13, 500.14 (a)(1) and 500.15;
- December 31, 2019: Section 500.11.