New York State has issued proposed regulations extending existing regulations requiring banks and other financial institutions to have in place a comprehensive cybersecurity program to credit reporting agencies.  Governor Mario Cuomo announced that “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles, evaluates or maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018 and have in place a written cybersecurity program by April 4, 2018. The program must identify and assess internal and external cybersecurity risks that may threaten non-public information, including personally identifying consumer information. The program must include provisions that address data governance and classification, asset inventory and device management, access control and identity management, systems and network security and monitoring, as well as other mandated areas.

Because the elements required to be addressed in the program are comprehensive, credit reporting agencies should begin the process of developing the program now to meet the April 4, 2018 deadline. Once the program is in place, moreover, the regulations also mandate phase in implementation dates for additional minimum protective standards that must be met.  These include requirements for annual penetration testing, bi-annual vulnerability assessments, limitations on data retention, encryption of non-public information and system generated audit trails to detect and respond to cybersecurity events.

Each agency must conduct a risk assessment of its information systems to include criteria for the evaluation and categorization of identified internal and external threats facing the organization. The risk assessment must describe how identified risks will be mitigated or accepted and how the program will address those risks.  Significantly, the risk assessment must not only address external hacking threats, but also require the identification and mitigation of risks posed by employees and other insiders, such as trusted vendors and independent contractors.  For example, employees who remotely access internal networks must be subject to multi-factor authentication or other “reasonably equivalent or more secure access controls.”

Each organization must also designate a qualified person as a Chief Information Security Officer responsible for implementation and enforcement of the program. The CISO will ultimately be responsible for responding to requests for “examination by the Superintendent of Financial Services as often as the Superintendent may deem it necessary.”  There are also breach notification requirements, as well as a mandate that the Board of Directors or a Senior Officer annually certify compliance with the cybersecurity regulations.  Failure to comply may result in revocation of the agency’s authorization to do business with New York’s regulated financial institutions and consumers.

Stay tuned to whether New York State’s call to action takes hold across the nation. In the meantime, you may find the governor’s press announcement by clicking here.