The Equifax Effect: NYS DFS’ Breach Response
NYS DFS 500 Cybersecurity Requirements are now extended to Credit Reporting Agencies.
In the aftermath of Equifax’s massive data breach in 2017, New York State Department of Financial Services (NYS DFS) passed a final regulation to protect New Yorkers from the threat of data breaches at Credit Reporting Agencies.
On June 25th, 2018, the New York Department of Financial Services (DFS) issued a new regulation, entitled, “Registration Requirements and Prohibited Practices for Credit Reporting Agencies” (CRA Regulation). This CRA Regulation became effective on July 3rd, 2018 and requires Credit Reporting Agencies with significant operations in New York to
(1) register annually with the DFS and
(2) comply with the comprehensive cybersecurity regulations that the DFS adopted in March 2017 (Cybersecurity Regulations).
Thus, this new regulation requires Credit Reporting Agencies with significant operations in New York to register with DFS for the first time and to comply with New York's first-in-the-nation cybersecurity standard, which previously required compliance from businesses operating in New York’s banking, financial services, and insurance industries. The CRA regulation compels Credit Reporting Agencies to strengthen protections for consumer data by adopting the same rigorous standards that all other companies in New York’s financial services industry must follow.
The annual reporting obligation also provides the DFS Superintendent with the authority to deny, suspend and potentially revoke a consumer’s Credit Reporting Agency's authorization to do business with New York's regulated financial institutions and consumers if the agency is found to be out of compliance with certain prohibited practices, including engaging in unfair, deceptive or predatory practices.
The cybersecurity requirements of the CRA Regulation are being implemented in four phases.
Consumer Credit Reporting Agencies subject to the regulation must be in compliance with the following requirements by November 1, 2018:
- Establish an Effective Cybersecurity Program – Section 500.02
- Develop and Maintain a Written Cybersecurity Policy – Section 500.03
- Designate a Chief Information Security Officer – Section 500.04
- Limit User Access Privileges To Systems Containing Nonpublic Information – Section 500.07
- Develop Application Security Protocols– Section 500.08
- Implement a Cybersecurity Awareness Program– Section 500.10
- Implement a Continuous Monitoring Program – Section 500.14
- Develop a Written Incident Response Plan – Section 500.16
- Notify DFS within 72 Hours of the Discovery of a Cybersecurity Event – Section 500.17
Registered consumer Credit Reporting Agencies will be required to comply with the following requirements by February 28, 2019:
- CISO Must Submit a Cybersecurity Report to the Company’s Board of Directors – Section 500.04(b)
- Regularly Conduct Penetration Testing and Vulnerability Assessments – Section 500.05
- Conduct Annual Cybersecurity Risk Assessments – Section 500.09
- Employ Multi-Factor Authentication to Protect Against Unauthorized Access to Information Systems – Section 500.12
- Provide Regular Cybersecurity Training – Section 500.14(a)(2)
Registered consumer Credit Reporting Agencies must comply with the following key provisions of the DFS’s Cybersecurity Regulations by August 31, 2019:
- Maintain Audit Trails of Sensitive Data – Section 500.06
- Develop policies to ensure the secure development of internal applications. – Section 500.08
- Establish a Data Retention Policy – Section 500.13
- Utilize Encryption to Protect Nonpublic Information – Section 500.15
To achieve and maintain compliance by December 31, 2019, all registered Credit Reporting Agencies must:
- Develop Written Policies and Procedures to Ensure the Security of Third-Party Systems – Section 500.11
How Digital Edge Can Help
As cybersecurity incidents continue to increase in frequency and severity, public companies and financial institutions should expect and prepare for increased regulatory scrutiny in the months ahead.
Digital Edge is an expert in ISO standards, and is certified by the International Standard Organization on Information Security and Quality (ISO 27001). There is a clear crosswalk between DFS law and ISO standards. Digital Edge will help to implement policies, standards and practices to cover all DFS requirements based on International Standards Organization framework.
Contact us today to further explore how our team can provide your business with an unparalleled cybersecurity solution, with our continued focus on Stability, Security, Efficiency and Compliance.
For more information on this regulation and to ensure that your organization is following the critical compliance requirements, please read our most recent articles:
- DFS Compliance – Mandatory Cybersecurity Requirements
- To Do: Check List to Comply with DFS Cybersecurity Law
- Discover the NEW online DFS Cybersecurity Reporting Portal
- Exempt from DFS Cybersecurity Regulations – Now What?