Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 24, the New York Department of Financial Services (NYDFS) announced updated guidance to New York-licensed insurers advising them of their obligations under New York’s Insurance Law and requiring entities to file disaster response plans and questionnaires by September 28, through two updated circular letters. The first updated circular letter—addressed to property/casualty insurance companies, including mortgage guaranty insurers, title insurers, and captive insurers—provides, among other things, that in addition to filing a disaster response and recovery plan, insurers must develop a business continuity plan and regularly perform a business impact analysis “to predict the consequences of disruption of a business function and process as a result of a disaster.” Additionally, the letter clarifies business impact analysis requirements and outlines areas to be addressed within an insurer’s business continuity plan. According to NYDFS, the updated requirements are issued “in light of disasters that may occur outside of New York, such as hurricanes, terrorist attacks, or cybersecurity breaches, which could affect an insurer’s ability to serve New York consumers.”
On March 23, the New York Department of Financial Services (NYDFS) provided a second update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017 and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in InfoBytes, as was the last update in February. The new update to the FAQs adds the following guidance:
- An individual filing a Certificate of Compliance for his or her own individual license with no Board of Directors is acting as a Senior Officer as defined by 23 NYCRR 500 and should complete the filing process in that manner; and
- Entity ID is defined as an entity’s state-issued unique license or charter number. Specific information is provided for insurance companies and mortgage loan originators in the FAQs.
On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”
Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.
On February 21, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500, which was last updated in December 2017. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. This week’s updates to the FAQs add the following guidance:
- Due to increasing cybersecurity risks facing financial institutions, NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500”;
- Not-for-profit mortgage brokers are Covered Entities under the cybersecurity regulation;
- Covered Entities, when acquiring or merging with a new company, must conduct a factual analysis of how the cybersecurity regulation applies to the acquisition or merger. In addition, NYDFS emphasized that Covered Entities must have in place serious due diligence processes and ensure cybersecurity is a priority; and
- Health Maintenance Organizations and continuing-care retirement communities are Covered Entities and must comply with the cybersecurity regulation requirements.
As previously covered in InfoBytes, on January 22, NYDFS issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance was February 15.
On January 22, the New York Department of Financial Services (NYDFS) issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance is February 15, 2018. Mandated by NYDFS’ cybersecurity regulation that went into effect March 1, 2017 (see previous InfoBytes coverage here), the certification covers the prior calendar year and must be filed electronically through the DFS cybersecurity portal. NYDFS Superintendent Maria T. Vullo also announced that going forward, cybersecurity will be incorporated into all department examinations, and cybersecurity-related questions will be added to NYDFS’ “first day letters” issued to commence examinations of financial services companies.
Recently, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1 and establishes cybersecurity requirements for banks, insurance companies, and other financial services companies. The December updates to the FAQs address risk-based requirements affecting covered entities, including the following topics; (i) penetration testing and vulnerability assessments; (ii) third-party service provider due diligence requirements; (iii) limited notices of exemption; and (iv) record requirements.
On Tuesday, New York State adopted emergency regulations intended to “provide consumers with the means to protect themselves against identity theft” and assist those consumers who have fallen victim to such theft. The New York Department of State’s Division of Consumer Protection (the Division), which has the authority to promulgate rules and regulations related to consumer protection activities of all state agencies, announced the adoption of regulations as part of its Identify Theft Prevention and Mitigation Program (the Program). In a press release issued December 12 by the office of New York Governor Andrew M. Cuomo, the regulations will require consumer credit reporting agencies to comply with the following, among other things:
- provide responses within 10 days to information requests made by the Division when investigating, mediating, or mitigating a consumer’s identity theft complaint;
- identify dedicated points of contact to assist the Division’s effective administering of the program;
- make available to the Division a list and description of all business affiliations and contractual relationships that provide identity theft and credit monitoring-related products or services; and
- clearly disclose all fees associated with offered products and services marketed to prevent identity theft, and inform consumers of trial and cancellation provisions.
Consumer credit reporting agencies will be required to comply with these regulations, effective immediately. A to-be-announced public comment period will occur prior to the regulations’ final adoption.
As previously covered by InfoBytes, New York Department of Financial Services (NYDFS) has taken several steps to address cybersecurity concerns, including a September 18 announcement that the state would expand cybersecurity standards to cover credit reporting agencies. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations, would be required to initially register with NYDFS, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule.
Data Breach Fallout Continues: Lawsuit Filed by Massachusetts AG, NYDFS Cybersecurity Regulation to Possibly Include Credit Reporting Agencies, and Joint Letter Sent From 34 States Requesting Fee-Based Credit Monitoring Service Be Disabled
Massachusetts AG Lawsuit. On September 19, Massachusetts Attorney General Maura Healey announced it had filed the first enforcement action in the nation against the credit reporting agency. The complaint, filed in Massachusetts Superior Court, alleges that the agency ignored cybersecurity vulnerabilities for months before the breach occurred and claims that the agency could have prevented the data breach had it “implemented and maintained reasonable safeguards, consistent with representations made to the public in its privacy policies, industry standards, and the requirements of [the Massachusetts Data Security Regulations],” which went into effect March 1, 2010. The failure to secure the consumer information in its possession, the complaint asserts, constitutes an “egregious violation of Massachusetts consumer protection and data privacy laws.” Causes of action under the complaint arise from (i) the agency’s failure to provide prompt notice to the commonwealth or the public; (ii) the agency’s failure to safeguard consumers’ personal information; and (iii) the agency engaging in unfair or deceptive acts or practices under Massachusetts law. The commonwealth seeks, among other things, civil penalties, disgorgement of profits, and restitution.
NYDFS Cybersecurity Regulation. On September 18, New York Governor Andrew M. Cuomo released a notice directing the New York Department of Financial Services (NYDFS) to issue a proposed regulation that would expand the state’s “first-in-the-nation” cybersecurity standard to include credit reporting agencies and to require the agencies to register with NYDFS. The annual reporting obligation would, according to a press release issued by NYDFS, grant it the authority to deny or revoke a credit reporting agency’s authorization to do business with New York’s regulated financial institutions should the agency be found in violation of certain prohibited activities, including engaging in unfair, deceptive or predatory practices. Under the proposed regulation, credit reporting agencies would be subject to compliance examinations by NYDFS, would be required to initially register with NYDFS by February 1, 2018 and annually thereafter, and would be required to comply with cybersecurity regulations starting on April 4, 2018, in accordance with a phased-in compliance schedule. On the same day, NYDFS issued a separate press release urging New York state chartered and licensed financial institutions to take immediate action to protect consumers in light of the recent credit reporting agency data breach. The guidance presented in the release by the NYDFS is provided in conjunction with the state’s cybersecurity regulations.
State Attorneys General Request. On September 15, a letter co-authored by 34 state attorneys general was sent to the credit reporting agency’s legal counsel. The letter expresses concern over the agency’s conduct since the disclosure of the breach, including the offer of both fee-based and a free credit monitoring services, the waiver of certain consumer rights under the agency’s terms of service, and the charges incurred by consumers for a security freeze with other credit monitoring companies. Specifically, the attorneys general objected to the agency “using its own data breach as an opportunity to sell services to breach victims,” and argued that “[s]elling a fee-based product that competes with [the agency’s] own free offer of credit monitoring services to [data breach victims] is unfair, particularly if consumers are not sure if their information was compromised.” Accordingly, the letter requests that the agency temporarily disable links to fee-based services and extend the offer of free services until at least January 31, 2018. Further, the letter also expresses concern that consumers must pay for a security freeze with other credit monitoring companies and states that the agency should reimburse consumers who incur fees to completely freeze their credit.
Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation
On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).
One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.
If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.
- John R. Coleman to discuss “CFPB update” at the MBA Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State licensing and NMLS challenges" at MBA’s Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Fair lending and equal opportunity laws” at the MBA Legal Issues and Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss “Contemplating the boundaries of UDAAP” at the MBA Legal Issues and Regulatory Compliance Conference
- Steven vonBerg to speak at closing “super session“ on compliance topics at MBA Legal Issues and Regulatory Compliance Conference
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference