On June 25, 2018, the New York State Department of Financial Services (NYS-DFS) issued a final regulation directed toward New York consumer credit reporting agencies. The regulation applies to agencies who reported on 1,000 or more New York consumers in the preceding year.
Per this regulation, “consumer reporting agencies” must:
- Register with NYS-DFS on or before September 1, 2018
- Comply with NYS-DFS cybersecurity “Part 500” rules on or before November 1, 2018
Once registered, agencies must comply with cybersecurity rules delineated in 23 NYCRR 500. NYS-DFS issued these requirements in response to what it sees as the failure of consumer credit reporting agencies in safeguarding consumer data or appropriately investigating disputes of inaccuracy. In general, it aims to increase consumer confidence in light of intensified cybersecurity threats.
Does this apply to portfolio companies?
While NYS-DFS 23 NYCRR 500 applies only to those financial firms for which the DFS is the licensing or regulatory authority (for example, investment advisers may be covered by the SEC, not DFS), the specifics of who it covers are not always clear. It can affect portfolio companies so we recommend consulting with counsel to determine if these deadlines and rules are applicable.
How ACA Can Help
ACA Aponix offers several solutions that can help Covered Entities comply with DFS NYCRR 500, including:
- Cybersecurity and Technology Risk Assessments
- Penetration Testing and Vulnerability Assessments
- Cybersecurity Awareness Training
- DFS 23 NYCRR 500 Readiness Assessments
- CISO Support Services
For More Information
If you have questions, please contact your regular ACA Aponix consultant or email us at firstname.lastname@example.org.