New York Cybersecurity Regulations Extended to Credit Reporting Agencies

Posted by

This week, Governor Cuomo has directed the Department of Financial Services to issue a final regulation requiring credit reporting agencies to comply with cybersecurity regulations applied to financial service companies, previously adopted in 23 NYCRR 500, et seq.

The new regulation, 23 NYCRR 201, et seq., obligates credit agencies reporting on 1,000 or more New York consumers to register annually with the DFS, and, beginning November 1, 2018, to comply the previously adopted standards, including adoption of a cybersecurity program and CISO, and other controls.

This action follows last year’s regulations directed to financial services companies setting standards for cybersecurity programs, and addressing data breach response.