top of page

Heads-up for Financial Organizations: More Updates on the New York Cybersecurity Regulations

Updated: May 10, 2022



Bloomberg Law’s Senior Legal Editor Daniel R. Stoller posted this week more details on the New York Department of Financial Services (NYDFS) ruling that the major credit bureaus must comply by November 1st, 2018 with New York’s Cybersecurity Regulation.


NYDFS decided to include Equifax, Experian and TransUnion under the NYDFS Cybersecurity Regulation, or also known as the 23 NYCRR 500 Regulation, because of the 2017 Equifax and 2013 Experian data breaches.  These rules will impose more strict cybersecurity requirements on the institutions that handle some of the most sensitive consumer data.


According to Bloomberg Law, Maria Vullo, the New York DFS Superintendent, said the “first-in-the nation rules were intended to safeguard New York’s markets, consumers and sensitive information from cyberattacks.”


One of the strictest of the new rules is the requirement that the credit bureaus must notify the NYDFS of a data breach within 72 hours.  This notification requirement along with other data protection requirements mirrors that of the EU’s General Data Protection Regulation (GDPR).


Who Else is Affected?


Not just the credit reporting bureaus are affected by the 23 NYCRR Part 500.  Actually the regulation has already rolled out to all New York financial institutions and includes:

  • Licensed lenders

  • Mortgage companies

  • State-chartered banks

  • Private bankers

  • Trust companies

  • Foreign banks

  • Insurance companies

  • Service contract providers


What Needs to be Done?


Many parts of the regulation requirements have been incrementally rolled out since March 1st, 2017 with five subsequent rolls outs of sub-regulations and requirements.


Financial institutions need to make sure they have in place the following: