New York State Cybersecurity Requirements: Ensuring CU Compliance
Cyberattacks have more than doubled since the pandemic, according to the International Monetary Fund, and the risk of extreme losses from cyber incidents continues to increase. The financial services sector is a significant and unique target for cybersecurity threats, with the industry suffering more than 20,000 cyberattacks and $12 billion in losses over the last 20 years.
The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing cybersecurity threats posed to financial systems, and it has identified an increase in cybercriminal activity attempting to exploit organizations’ vulnerabilities to gain access to sensitive electronic data.
Updated Cybersecurity Regulation in New York State
Last year, the DFS made significant amendments to its Cybersecurity Regulation, 23 NYCRR Part 500, effective as of Nov. 1, 2023. The amendments reflect the first significant change to the Cybersecurity Regulations since their inception in 2017 and incorporate new information security compliance obligations for regulated entities – institutions operating under or required to obtain a license or similar authorization under New York’s insurance law, banking law or financial services law.
The revisions, the Department explains in its Cybersecurity Resource Center, aim to address the changes in the increasing sophistication of threat actors, the prevalence of and relative ease in executing cyberattacks, and the availability of additional controls to manage cyber risk at a reasonable cost.
The Impact for Credit Unions
The DFS cited a rapidly changing cybersecurity landscape where threat actors have become more sophisticated and more prevalent. As cyberattacks become easier to perpetrate and more expensive to remediate, the nature of credit union operations presents a unique risk for these organizations and their communities. The updated regulation promotes the protection of customer information as well as the information technology systems of regulated entities. Cyberattacks can cause significant financial losses for DFS-regulated entities as well as New York consumers whose private information is at risk of being revealed or stolen.
The updated DFS cybersecurity requirements are now affecting the operations of credit unions across New York State. One area that has raised questions and concerns among credit unions and other financial institutions is the revised definition of “covered entity” and its implications for affiliates and subsidiaries. Even if your credit union is exempt from DFS regulation, if your subsidiary or affiliate is considered a covered entity, a written information security program must be in place.
Ensuring Compliance for Your Organization
While the regulations aim to enhance cybersecurity measures across the financial sector, understanding how they apply to your specific organizational structure is crucial for ensuring compliance and avoiding potential penalties.
It’s more imperative than ever before for organizations to proactively improve their cybersecurity programs – and many already have with great success. All credit unions operating in New York State, especially those with subsidiaries or affiliates, should thoroughly review the updated regulations to determine their compliance obligations. To get started, consider taking the following steps:
- Review the updated DFS cybersecurity regulations in detail to understand the changes and their implications for your credit union and any affiliated entities.
- Assess whether your credit union and its subsidiaries or affiliates fall under the definition of a “covered entity” as per the revised regulations. DFS has a portal where you can search for covered entities.
- Take necessary steps to ensure compliance with the cybersecurity requirements outlined by the DFS, including implementing appropriate measures to safeguard sensitive data and protect against cyber threats.
- Seek guidance from legal and cybersecurity experts specializing in financial regulations to ensure comprehensive compliance and to mitigate any potential risks.
As the cybersecurity landscape continues to evolve, it’s critical that your credit union is prepared for possible threats. Given credit unions’ valuable data and their compliance requirements, it’s not surprising that they face unique challenges and threats in the cybersecurity space.
The DSF has made clear the need for credit unions to take this issue seriously at the highest level of the organization and design a unique program to address its specific risks. Ultimately, senior management must take responsibility for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.
Taking these steps to ensure compliance with cybersecurity requirements will help the safety of your institution and protect the valuable information and assets of your members.
Christopher Salone is a Consulting Manager and Financial Services Practice Leader for FoxPointe Solutions, the Information Risk Management Division of The Bonadio Group, a CPA firm based in Pittsford, N.Y.