July 13, 2018Client Alert

The Equifax Effect: New York Regulator Extends Cybersecurity Requirements to Credit Reporting Agencies

In the wake of the Equifax mega data breach, regulators across the financial services industry are focused on increasing cybersecurity oversight and imposing stiffer penalties on companies that fail to protect consumer data. On June 25, 2018, the New York Department of Financial Services (DFS) issued a new regulation entitled, “Registration Requirements and Prohibited Practices for Credit Reporting Agencies” (CRA Regulation). This CRA Regulation became effective on July 3, 2018 and requires credit reporting agencies with significant operations in New York to (1) register annually with the DFS and (2) comply with the comprehensive cybersecurity regulations that the DFS adopted in March 2017 (Cybersecurity Regulations).

The Cybersecurity Regulations codify prescriptive requirements consistent with industry standards and best practices for businesses operating in New York’s banking, financial services, and insurance industries. The CRA regulation compels credit reporting agencies to strengthen protections for consumer data by adopting the same rigorous standards that all other companies in New York’s financial services industry must follow.

Implementation Timeline

The cybersecurity requirements of the CRA Regulation are being implemented in four phases.

Phase 1: Consumer credit reporting agencies subject to the regulation must be in compliance with the following requirements by November 1, 2018:  

  • Establish an Effective Cybersecurity Program – Section 500.02
  • Develop and Maintain a Written Cybersecurity Policy – Section 500.03
  • Designate a Chief Information Security Officer – Section 500.04
  • Limit User Access Privileges To Systems Containing Nonpublic Information – Section 500.07
  • Develop Application Security Protocols– Section 500.08
  • Implement a Cybersecurity Awareness Program– Section 500.10
  • Implement a Continuous Monitoring Program – Section 500.14
  • Develop a Written Incident Response Plan – Section 500.16
  • Notify DFS within 72 Hours of the Discovery of a Cybersecurity Event – Section 500.17

Phase 2: Registered consumer credit reporting agencies will be required to comply with the following requirements by February 28, 2019:  

  • CISO Must Submit a Cybersecurity Report to the Company’s Board of Directors – Section 500.04(b)
  • Regularly Conduct Penetration Testing and Vulnerability Assessments – Section 500.05
  • Conduct Annual Cybersecurity Risk Assessments – Section 500.09
  • Employ Multi-Factor Authentication to Protect Against Unauthorized Access to Information Systems – Section 500.12
  • Provide Regular Cybersecurity Training – Section 500.14(a)(2)

Phase 3: Registered consumer credit reporting agencies must comply with the following key provisions of the DFS’s Cybersecurity Regulations by August 31, 2019:

  • Maintain Audit Trails of Sensitive Data – Section 500.06
  • Develop policies to ensure the secure development of internal applications. – Section 500.08
  • Establish a Data Retention Policy – Section 500.13
  • Utilize Encryption to Protect Nonpublic Information – Section 500.15

Phase 4: To achieve and maintain compliance by December 31, 2019, all registered credit agencies must:  

  • Develop Written Policies and Procedures to Ensure the Security of Third-Party Systems – Section 500.11  

How We Can Help

As cybersecurity incidents continue to increase in frequency and severity, public companies and financial institutions should expect and prepare for increased regulatory scrutiny in the months ahead. Michael Best’s cybersecurity and data privacy attorneys are experienced with developing breach prevention and risk mitigation strategies that align with these new compliance frameworks.

back to top