Start Spreading the News: New York Amends Cybersecurity Regulations

On Halloween, New York announced that it had finalized amendments to part 23 NYCRR 500. Why should I care, you ask? After all, my credit union isn’t in New York and my board plans to keep it that way. Besides, I hate the Yankees.

First, some background. When these regulations took effect in 2017, they were proclaimed by New York as “the first in the nation” with comprehensive cybersecurity regulations. They require state-chartered and licensed institutions subject to the Department of Financial Services’ oversight that meets certain thresholds, including insurance companies and state credit unions and banks, to adopt a comprehensive cybersecurity framework; this generally mandates institutions to conduct assessments of cybersecurity risks, implement protections to guard against vulnerabilities such as mandating the encryption of data in transit, and due diligence requirements for third-party vendors. Covered entities must certify that they are following these regulations, and the state has aggressively taken enforcement actions against violators.

Why do these amendments matter to institutions not subject to New York State oversight? First, if you have a CUSO that needs to be licensed by the Department of Financial Services, the CUSO is subject to these regulations. Secondly, many of these changes reflect a codification of best practices, which your credit union may want to consider adopting if it hasn’t done so already. Finally, data breaches are inevitable. As credit unions face lawsuits claiming that they failed to use “reasonable care” to prevent data breaches, state regulations are often examined by courts and other regulators to determine what precautions financial institutions should be expected to take. Here is a look at some of the key changes with which covered institutions will have to comply once they are fully phased in.

Many of the most basic requirements that have been refined with these amendments may already be practices your credit union has adopted. For example, it is not enough to have risk assessments. Under the revised amendments, these assessments must be reviewed and updated at least annually. They should also be reviewed whenever a new business model or product is introduced. For example, DFS was finalizing these enhanced requirements at the same time that ChatGPT was being introduced. This technology may very well upend many of your procedures and product offerings, and your risk assessments and the procedures that grow from them should be updated to reflect these changes.

Another basic refinement of industry practice involves the mandated use of multi-factor authentication (MFA). Whereas New York’s previous regulation simply required the use of “effective controls, which may include multi-factor authentication or risk-based authentication,” the new requirements mandate the use of MFA.

Another basic but informative change is to limit access to systems containing non-public information to those individuals who need such access to perform their jobs. A basic but important step that all institutions should take is to periodically cull user access lists to ensure that they reflect the roles actually being performed by existing employees and not provide access to employees no longer employed by the credit union.

Although many of these changes reinforce existing practices, there are some requirements that may be a heavier lift. For example, New York State credit unions will have two years to implement policies and procedures “designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems.” While this will be onerous for some credit unions, it also ensures that impacted credit unions begin to develop policies and procedures for appropriately tracking member data. It is inevitable that most states and/or the federal government will eventually adopt California-style data portability and privacy standards.

Some of the most far-reaching changes only apply to the largest covered entities. For example, these “Class A” institutions are now going to be subject to independent audits of their cybersecurity programs. They also have to implement “an automated method of blocking commonly used passwords” for their accounts.

Recently, I found myself yelling at my tablet. I do that fairly frequently. I read a quote from a former Facebook vice president who explained, “Building things is way more fun than making things secure and safe. Until there’s a regulatory or press fire, you don’t deal with it.” This is of course lousy advice. By staying aware of what states are doing regarding cybersecurity frameworks, particularly in the absence of comprehensive federal law in this area, credit unions can stay up to date on emerging trends and practices.

This truly is an area of law in which New York has had an outsized influence.

Henry Meier is the former General Counsel of the New York Credit Union Association, where he authored the popular New York State of Mind blog. He now provides legal advice to credit unions on a broad range of legal, regulatory and legislative issues. He can be reached at (518) 223-5126 or via email at henrymeieresq@outlook.com.