Zofia Buzz

New York's Credit Reporting Agencies (CRA) Must Comply with New Cyber Mandate


On June 25, 2018, any credit reporting agency (CRA) with “significant operations” in New York must register with the New York Department of Financial Services (NYDFS) and comply with the NYDFS cyber regulations under Part 500.CRAs must register by September 15, 2018. Also, in addition to registering, CRAs must begin complying with New York’s cyber regulations as early as November 1, 2018. There are multiple deadlines over the next year for CRA Compliance.

Here are some highlights:

  • By November 1, covered CRAs must have appointed a chief information security officer (CISO) and have implemented a written cybersecurity program, including an incident response plan, that are designed to safeguard the confidentiality, integrity and availability of the organization’s information systems.

  • CRA must base its cybersecurity program upon a conducted risk assessment, and it must have designed the program to enable the CRA to identify, detect, respond to and recover from a reportable “cybersecurity event.”

  • CRAs have a maximum of 72 hours to report a “cybersecurity event” to the NYDFS making the reporting requirements more consistent with Federal guidelines for government agencies.

  • A member of the board of directors, or a senior officer, of each CRA must certify annually to the NYDFS the agency’s compliance with the regulations. The first certification is due on February 15, 2019.

  • Under this regulation, NYDFS has the authority to deny, suspend, or revoke a CRA’s license and ability to conduct business in New York if the agency fails to comply with the NYDFS’s cyber regulations, including a failure to certify annually its compliance.

Zofia Consultants are experts in full-time CISO activities and Enterprise Security Risk Management.

Not every organization has the need or resources for full-time, all the time, cybersecurity support. Having “Virtual CISO” ™ expertise available part-time and virtually on-demand is a service more and more of our clients are asking for, particularly those needing to demonstrate compliance with State and Federal laws.

Zofia Consulting assists our clients through the complex cybersecurity maze and provides the necessary leadership and learning opportunities for ongoing protection, compliance, and mission success.

Learn more here: https://www.zofiaconsulting.com/virtual-ciso