Removing Barriers Blog

Cybersecurity Regulations Reissued in New York
Posted January 04, 2017 by CUNA Advocacy

Last week, New York’s Department of Financial Services reissued its proposed Cybersecurity Program Requirements which are to be phased in starting in March. In November, CUNA joined the New York Credit Union Association to express concerns about the proposal. State chartered credit unions and CUSOS incorporated under New York law are among the entities covered by the proposal.

While we are still determining the impact of the revised rule, we have determined that exemption from these regulations (proposed section 500.19) has been expanded; it now includes organizations with fewer than 10 employees or less than $5,000,000 in gross revenue in the last three years. The previous exemption only applied to entities with fewer than 1,000 customers in each of the last three calendar years.

The proposed regulation has also been amended to clarify that an organization’s policies and programs are to be based on its risk assessment (proposed section 5000.02). While this helps, the Department refused to clarify the extent to which compliance with federal standards can satisfy these regulations.

The amendments also clarify that a covered entity can satisfy these regulations by using an affiliate’s cybersecurity program (proposed section 5000.02). In other words, a state charter with a CUSO can use a single program so long as it applies to both entities.

We remain concerned that the state’s proposed requirements for cybersecurity training (proposed section 500.14) and for institutions to encrypt nonpublic information that is not being transmitted (proposed section 500.15) will be overly burdensome for credit unions. 

Comments on the rule are due January 27, 2017.