New Cybersecurity Regulations for Credit Reporting Agencies

New Cybersecurity Regulations for Credit Reporting Agencies

Following the Equifax breach, New York State has announced a proposed regulation for credit reporting agencies. According to the press release, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue a new regulation making credit reporting agencies to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard.

Proposed Regulation Requires Credit Rating Agencies to Comply with New York’s First-in-the-Nation Cybersecurity Regulation

Regulation Would Give the DFS Oversight of Credit Reporting Agencies for the First Time Ever

DFS Superintendent May Deny or Revoke Agencies’ Authorization to Do Business with New York’s Regulated Financial Institutions and Consumers 

“A person’s credit history affects virtually every part of their lives and we will not sit idly by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”

Under the proposed regulations, every consumer reporting agency that assembles evaluates or maintains a consumer credit report on NYS consumers must register with the State by February 1, 2018, and have in place a written cybersecurity program by April 4, 2018. The program must identify and assess internal and external cybersecurity risks that may threaten non-public information, including personally identifying consumer information. The program must include provisions that address data governance and classification, asset inventory and device management, access control and identity management, systems and network security and monitoring, as well as other mandated areas.

The proposed regulation also subjects consumer reporting agencies to examinations by DFS as often as the Superintendent determines is necessary, and prohibits agencies from the following:

  • Directly or indirectly employing any scheme, device or artifice to defraud or mislead a consumer.
  • Engaging in any unfair, deceptive or predatory act or practice toward any consumer or misrepresent or omit any material information in connection with the assembly, evaluation, or maintenance of a credit report for a consumer located in New York State.
  • Engaging in any unfair, deceptive, or abusive act or practice in violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
  • Including inaccurate information in any consumer report relating to a consumer located in New York State.
  • Refusing to communicate with an authorized representative of a consumer located in New York State who provides a written authorization signed by the consumer, provided that the consumer credit reporting agency may adopt procedures reasonably related to verifying that the representative is in fact authorized to act on behalf of the consumer.
  • Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.

View the proposed regulation here


Interested in learning more?

New York State Cybersecurity Regulation

New York State Cybersecurity Regulation

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises…” 

Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. August 28, 2017 marks the deadline for implementation.

Covered Entity

A “Covered Entity” means any Person operating under or required to operate under a license, registration, charter, certificate,
permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. [23 NYCRR

Overview of 23 NYCRR Part 500

A. Each Covered Entity is required to establish and maintain a written cybersecurity program designed to protect the confidentiality, integrity, and availability of the Covered Entity’s Information Systems and the Nonpublic Information therein. (500.02)

B. Each Covered Entity must adopt and maintain a written cybersecurity policy which contains processes and procedures for data governance and classification, access controls and identity management, business continuity and disaster recovery, systems operation and availability concerns, security, monitoring, quality assurance, privacy, third-party service provider management, risk assessment and incident response. (500.03)

C. Appoint a Chief Information Security Officer (CISO) to oversee implementation and enforcement. (500.04)

D. Supervision and evaluation of cybersecurity program of Third Party Service Providers who have access to Covered Entity’s Information Systems and Nonpublic Information. (500.11)

E. Your Program needs to include a Risk Assessment, use of qualified cybersecurity personnel, timely destruction of unneeded information and an incident response plan. (500.09, 500.10, 500.13, 500.16)

F. Based on the Risk Assessment of your organization, your program may have to include different levels of annual penetration testing with vulnerability assessments, audit trail systems, access logs, review of access privileges, Multi-Factor Authentication for access, employee training and encryption of Nonpublic Information. (500.05, 500.06, 500.07, 500.12, 500.14, 500.15)


To assist Covered Entities with their reporting requirements, DFS has announced a new online portal

Cybriant offers programs to assist with every aspect of New York’s regulation 23 NYCRR Part 500.  Colorado Division of Security has announced regulations similar to New York. The cybersecurity procedures must include all of the following:

  • An annual risk assessment that does not need to be conducted by an independent third party
  • Secure email, including encryption and digital signatures for emails containing Confidential Personal Information
  • Authentication of clients’ email instructions and employee access to electronic communication
  • Disclosure to clients of the risks of using electronic communications.

Schedule a Consultation