Despite changes to the New York Department of Financial Services (DFS) proposed cybersecurity requirements, CUNA and the New York Credit Union Association (NYCUA) remain concerned that the changes will be overly burdensome to credit unions. The DFS re-issued the proposal last week, after putting out the original proposal in 2016.
CUNA and the NYCUA filed a comment letter in November expressing concerns about the proposal, which covers state chartered credit unions and credit unions service organizations (CUSOs) incorporated under New York law.
CUNA and the NYCUA are still determining the impact of the revised proposal. However, it appears that the exemption from the regulation has been expanded to include organizations with fewer than 10 employees or less than $5 million in gross revenue in the last 3 years.
The previous exemption only applied to entities with fewer than 1,000 customers in each of the last 3 calendar years.
The proposed regulation has also been amended to clarify that an organization’s policies and programs are to be based on its risk assessment, but the DFS did not to clarify the extent to which compliance with federal standards can satisfy these regulations.
The amendments also clarify that a covered entity can satisfy these regulations by using an affiliate’s cybersecurity program. In other words, a state charter with a CUSO can use a single program so long as it applies to both entities.
CUNA and the NYCUA remain concerned that the state’s proposed requirements for cybersecurity training and for institutions to encrypt nonpublic information that is not being transmitted will be overly burdensome for credit unions.
For more information, see CUNA’s Removing Barriers Blog.