Start Spreading the News: New York Amends Cybersecurity Regulations

Credit/Shutterstock

On Halloween, New York announced that it had finalized amendments to part 23 NYCRR 500. Why should I care, you ask? After all, my credit union isn’t in New York and my board plans to keep it that way. Besides, I hate the Yankees.

First, some background. When these regulations took effect in 2017, they were proclaimed by New York as “the first in the nation” with comprehensive cybersecurity regulations. They require state-chartered and licensed institutions subject to the Department of Financial Services’ oversight that meets certain thresholds, including insurance companies and state credit unions and banks, to adopt a comprehensive cybersecurity framework; this generally mandates institutions to conduct assessments of cybersecurity risks, implement protections to guard against vulnerabilities such as mandating the encryption of data in transit, and due diligence requirements for third-party vendors. Covered entities must certify that they are following these regulations, and the state has aggressively taken enforcement actions against violators.