Removing Barriers Blog

Potential New Cybersecurity Regulations Unveiled in New York
Posted November 13, 2015 by Chandler Schuette

This week, New York’s credit union and bank regulator released potential new regulations aimed at increasing financial services cybersecurity. The NY Department of Financial Services (DFS) issued the letter after conducting a survey of more than 150 of its regulated banking organizations about their cybersecurity programs, costs and future plans.  Acting DFS Superintendent Anthony Albanese said “his agency considers cyber security to be among the most critical issues facing the financial world today.” 

The potential new regulations would require covered entities, which includes credit unions, to take the following actions:

  • Implement and maintain written cyber security policies and procedures
  • Implement and maintain policies and procedures for third party service providers
  • Implement multi-factor authentication for all access to internal systems and data from an external network
  • Designate an employee to serve as its Chief Information Security Officer
  • Maintain and implement written procedures, guidelines, and standards to ensure the security of all applications
  • Conduct annual penetration testing and quarterly vulnerability assessments
  • Notify DFS of any cyber security incident that could impact an institution

The New York Credit Union Association will be working with the regulator to ensure the rules are not overly burdensome to credit unions.

Earlier this year, New York Attorney General Eric Schneiderman proposed legislation that would strengthen protections for private information by expanding state law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If enacted, the Attorney General said the "new law will be the strongest, most comprehensive in the nation." The legislation, S 4887 /A 6866, is listed as pending.