{"id":129,"date":"2018-07-02T10:20:40","date_gmt":"2018-07-02T14:20:40","guid":{"rendered":"https:\/\/pbacyber.com\/?p=129"},"modified":"2019-04-12T11:01:36","modified_gmt":"2019-04-12T15:01:36","slug":"new-yorks-cyber-regulations-now-apply-to-credit-reporting-agencies","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/07\/02\/new-yorks-cyber-regulations-now-apply-to-credit-reporting-agencies\/","title":{"rendered":"New York\u2019s Cyber Regulations Now Apply to Credit Reporting Agencies"},"content":{"rendered":"

By\u00a0Josh Mooney<\/a> and Emma Bechara<\/a>, White and Williams LLP<\/a><\/p>\n

 <\/p>\n

On June 25, 2018, the New York Department of Financial Services (NYDFS) issued a final regulation that requires any credit reporting agency (CRA) with \u201csignificant operations\u201d in New York to register with the NYDFS and comply with the NYDFS cyber regulations under Part 500. CRAs must register by September 15, 2018. Significantly, as outlined below, CRAs also must begin complying with New York\u2019s cyber regulations as early as November 1, 2018 \u2013 i.e.<\/em>, in four months.<\/span><\/p>\n

 <\/p>\n

By November 1, covered CRAs must have appointed a chief information security officer and have implemented a written cybersecurity program, including an incident response plan, that are designed to safeguard the confidentiality, integrity and availability of the organization\u2019s information systems. Further, the CRA must base its cybersecurity program upon a conducted risk assessment, and it must have designed the program to enable the CRA to identify, detect, respond to and recover from a reportable \u201ccybersecurity event.\u201d<\/p>\n

 <\/p>\n

Under the regulations, CRAs will have a maximum of 72 hours to report a \u201ccybersecurity event\u201d to the NYDFS. This is a significant uptick from previous reporting requirements under New York law, which enabled CRAs to take weeks or even longer to report an event. Finally, and significantly, a member of the board of directors or a senior officer of each CRA now must certify annually to the NYDFS the agency\u2019s compliance with the regulations. The first certification is due on February 15, 2019.<\/p>\n

 <\/p>\n

The new regulation also comes with teeth. Under Part 201.05, NYDFS has the authority to deny, suspend, or revoke a CRA\u2019s license and ability to conduct business in New York if the agency:<\/p>\n