New state cyber rules may apply to some credit unions

Christopher Salone

Last November, the New York State Department of Financial Services (DFS) made updates to its cybersecurity regulations that may require credit unions to comply depending on what type of subsidiary lines of business the credit union operates, according to one cybersecurity expert. “Credit unions are typically not included because they are federally chartered,” FoxPointe Solutions […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Last November, the New York State Department of Financial Services (DFS) made updates to its cybersecurity regulations that may require credit unions to comply depending on what type of subsidiary lines of business the credit union operates, according to one cybersecurity expert. “Credit unions are typically not included because they are federally chartered,” FoxPointe Solutions Consulting Manager Christopher Salone says. “A lot of credit unions let it go by and didn’t really pay attention to the changes.” The National Credit Union Administration (NCUA) oversees federally chartered credit unions, he notes, but if a credit union operates certain types of subsidiaries including life, accident, or health-insurance agent or broker, mortgage-loan servicer, title-insurance services, and property and casualty insurance agent or broker, those business lines fall under DFS jurisdiction. And that means, those subsidiaries must comply with the amended DFS cybersecurity regulations that went into effect last November and are being phased in through May of 2025, Salone says. “It’s important for the credit union to make sure their cybersecurity program is very robust,” he adds. The amended regulations cover multiple areas of cybersecurity, requiring things like annual risk-assessment reviews and updates, annual penetration testing, a written encryption policy, business-continuation and disaster-response plans, multifactor authentication, and more. Any organization that is noncompliant can face enforcement and other penalties, Salone says. Those that are noncompliant for more than 24 hours must report that to DFS, and it can result in a DFS examination and findings. Repeated findings may have consequences, he says. Credit unions may have some of these cybersecurity elements in place under NCUA requirements, Salone says, but the DFS requirements are more robust than what the NCUA requires. New York has been on the forefront of such robust cybersecurity requirements. When the regulations were first adopted in 2017, New York was one of the first states to have such stringent requirements. Ultimately, other states, as well as federal organizations, modeled their own requirements after New York’s, Salone says, which is another reason credit unions should take a good look and make sure they are meeting those requirements if they need to do so. Salone expects organizations like NCUA will follow New York State’s lead in the near future. A credit union can check the DFS website’s cyber resources portal to see if any element of its business operations falls under DFS domain, he points out. If it is a covered entity, Salone suggests first confirming that with counsel. Once confirmed, a credit union can use its internal information technology (IT) department to get to work on compliance. Conducting a risk assessment is a good place to start, Salone adds.
Traci DeLore: