William J. Mellin, New York Credit Union Association president/CEO, responded to the New York State Department of Financial Services’ proposed cybersecurity amendments in a comment letter late last week.

The proposed regulation, which just apply to state-chartered and licensed institutions, makes several changes to the existing framework. It creates a new category of large class-A institutions, which will have to undergo periodic independent cyber audits. It also makes some important technical changes regarding the ability of all credit unions to encrypt personal data.

New York’s “first in the nation” regulations are closely scrutinized on both the state and federal level for clues as to where cyber standards are headed. The letter outlines specific changes to 23 NYCRR 500 that would enable DFS to achieve its core goals in proposing its amendments, while doing so in a way which helps smaller to mid-size institutions comply with these regulations in a cost-effective manner.  

While he recognizes the need to update the cybersecurity framework to address emergent issues such as ransomware, Mellin stated that he believes that subtle changes to 23 NYCRR 500 would allow impacted institutions to better balance compliance with the costs associated with these changes.

“While credit unions share DFS’s commitment to ensuring that consumer information is appropriately protected, as the risk environment evolves, so too should regulations designed to combat cyber intrusions,” Mellin said.

In 2017, New York state enacted its “first-in-the-nation” Cybersecurity Regulation, which goes beyond existing federal requirements. This regulation applies to any state-licensed or chartered institution and their affiliates and DFS requires regulated entities to certify on an annual basis that they are complying with this regulation.