Connect with us

Hi, what are you looking for?



New York Pushes to Regulate Credit Agencies After Equifax Breach

New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year.

New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year. The move is in response to the massive Equifax breach disclosed on September 7, 2017.

“In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue new regulation making credit reporting agencies to register with New York for the first time and comply with this state’s first-in-the-nation cybersecurity standard,” says the statement.

“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Governor Cuomo said. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  

In the proposed new regulation (PDF), Maria T. Vullo, Superintendent of Financial Services, makes it clear that her department has been monitoring ‘the deficient practices’ of credit reporting companies (such as Equifax, Experian and TransUnion). She cites failure to safeguard consumer data; failure to maintain accurate data; and failure investigate alleged inaccuracies.

Her proposed solution is to require the credit companies to register with the DFS, to comply with certain prohibited practices, and to comply with the regulations introduced in DFS 500. Failure to comply with this new regulation (23 NYCRR 201) could lead to the revocation of the credit company’s authorization to do business with New York’s regulated financial institutions and consumers — effectively making it impossible to carry on.

“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo. “This is one necessary action of several that DFS will take to protect New York’s markets, consumers and sensitive information from criminals.”

It is thought that 8 million New Yorkers may be affected by the Equifax breach.

Advertisement. Scroll to continue reading.

‘First-in-the-nation’ is how New York describes the DFS 500 regulation. Its two key requirements are that regulated companies (covered entities) must employ a chief information security officer, and that they must deliver an annual cybersecurity report signed off by the board with a certification document to the DFS. The CISO “shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body.” This will effectively be a statement on how the regulation is implemented, including details on ‘material Cybersecurity Events’.

The process effectively makes the DFS the final arbiter on the adequacy of the regulated companies’ cybersecurity policies; and the new proposal brings credit reporting agencies in line with the requirements for the regulated financial services organizations.

The proposed new regulation also introduces a new range of prohibitions on credit reporting agencies designed to protect consumers. These prohibit “any unfair, deceptive or predatory act or practice toward any consumer…  violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act…” and “Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency.”

Cuomo makes it clear that he hopes that other states will follow with their own similar regulations on credit companies. This puts New York state in direct opposition to the perceived federal preferences of the Trump administration — which would prefer to ease regulatory restrictions on business. Cuomo believes that tighter regulations are required to protect consumers, rather than looser regulations to promote business.

The new regulation will likely be subject to a public comment period. However, under the current proposal, credit reporting agencies will be required to register with the DFS by February 1, 2018, and annually thereafter. The DFS 500 cybersecurity regulation will need to be implemented on a staggered basis, but the credit companies will need to be in full compliance by October 4, 2019.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...