Skip to content
Thomson Reuters
Compliance Learning

New York credit reporting agencies subject to new cyber security regulation

Tiffany Robertson

23 Oct 2017

A seagull flies in front of the skyline of New York as seen from Hoboken, New Jersey
Picture: Gary Hershorn

New York State’s Department of Financial Services (DFS) recently issued a subpoena demanding more information from a national credit reporting agency concerning September’s cyber attack that compromised the sensitive information of up to 145.5 million Americans.

In addition to employing such enforcement options, New York’s Governor, Andrew Cuomo, directed the DFS to issue regulations requiring credit reporting agencies to register with them and comply with New York’s first-in-the-nation cyber security regulation.

A view of an online compliance training course in Thomson Reuters Compliance Learning

Find out more about Thomson Reuters Compliance Learning online compliance training courses

Compliance with New York cyber security regulation required as of August 28

New York’s new cyber security standard became effective on March 1, 2017, but only required compliance by financial institutions on August 28, 2017. Consequently, at this time all banks, insurance companies and other DFS-regulated financial services institutions must have —

  • A cyber security program designed to protect consumers’ private data;
  • A written cyber security policy or policies approved of by the board or a senior officer;
  • An official Information Security Officer focused on protecting data and systems; and
  • Controls and plans in place for the protection of the safety and soundness of New York’s financial services industry.

Discover the latest facts on global data breaches with our infographic

A preview of the Thomson Reuters Compliance Learning data breaches infographic.

Delay in notification sparks criticism

September’s cyber attack engendered significant criticism given that it is believed hackers gain unauthorized access to very sensitive consumer and commercial data by exploiting a known website application vulnerability.

The agency is also under fire for waiting over a month to make the breach public. Governor Cuomo’s new regulations seek to address such issues by requiring credit reporting agencies to register with the state by February 1, 2018 and comply with the state’s strict cyber security standard, including a requirement to report known cyber breaches within 72 hours.

A reportable cyber security event falls into at least one of the following categories:

  • It impacts the covered entity and the entity is required to provide notice to any government body, self-regulatory agency or any other supervisory body; or
  • It has a reasonable likelihood of materially harming any material part of the covered entity’s normal operation(s).
A view of an online compliance training course in Thomson Reuters Compliance Learning

DFS authorized to revoke right to do business in state

In addition, the new rules would prohibit outright fraud, as well as prohibit companies from omitting material information from a person’s credit report or reporting inaccurate information.

They also would authorize the state to deny the renewal of a consumer credit reporting company’s registration if the DFS superintendent considers the applicant untrustworthy or incompetent.

This would effectively revoke a credit reporting agency’s authorization to report on anyone located in New York State.

Our online compliance training courses help educate employees on the risks associated with and how to avoid security breaches

Cyber security regulations require a risk-based approach by the entire organization

Adoption of the state’s new cyber security regulation is a priority for New York’s DFS. Implementing the 16 pages of very specific new requirements necessitates a compliance program led by management and incorporated into a firm’s entire organization.

Most importantly, according to Steven Grossman, Vice President of cyber security and risk management firm Bay Dynamics, is the use of a risk-based approach to measure an organization’s cyber risk and prioritize and escalate threats and vulnerabilities. He warns, however, that any tool or even regulation is “only as good as the decision-makers, regulators and operators using it.”

Cyber breaches can impart serious costs on organizations. Following September’s breach, shares in the credit reporting agency dropped 18 percent in one day, its reputation as a custodian of consumer data being tarnished and it is likely to incur significant costs in breach remediation, potential litigation and regulatory action, and finally, higher cyber insurance premiums.

Training employees to be alert for cyber risks and on how to report and respond to them is a crucial component of an effective cyber security program.

Thomson Reuters offers a variety of compliance training materials to bolster employee knowledge and participation in protecting information and privacy, including Data Privacy and Security, Information Security and Cyber Risk Awareness and Electronic Communications training.

Thomson Reuters Compliance Learning

California’s New Anti-Harassment Training Requirement (SB 396). Are You Ready? Growing global regulation enforcement calls for amplified anti-corruption training Compliance training in the wake of the Paradise Papers leak Does your corporate culture inadvertently support discrimination and harassment? Top four indicators of ethical risk in the workplace Thomson Reuters releases a suite of elearning courses to support organizations with their MiFID II obligations FINRA continues scrutiny of financial industry for improper electronic communications MiFID II’s trickle-down effect may catch non-EU firms unprepared Study finds organizations are not ready for GDPR compliance issues How RegTech can transform your regulatory compliance