The New York Minute: Regulation Deadlines, DFS Retirement Announcement, Discovery2024, and More!

On By nycuaIn NY Minute

In this week’s New York Minute, we’re keeping you up to date on the latest changes for New York’s credit unions, including cybersecurity regulation deadlines and the retirement of the Executive Deputy Superintendent of the NYS DFS. Then, we’re congratulating First Source FCU on recent recognitions and reminding you to save your spot for Discovery2024! Get the latest weekly credit union news in the New York Minute.

Cybersecurity Regulation Deadlines

By Mitch Pollack, General Counsel

Covered Entities
As a reminder, the cybersecurity regulation defines a “Covered Entity” as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.” 23 NYCRR 500.1. This means that any credit union chartered or registered under New York Banking Law, Insurance Law, or Financial Services Law is a Covered Entity. Thus, the Cybersecurity Regulation does not apply to Federal Credit Unions unless they applied for a separate New York State license, which subjects them to Department of Financial Services (“DFS”) oversight, or oversight by another New York State agency.

Background
The Department of Financial Services amended its Cybersecurity Regulation in 2023, and has provided updates on upcoming deadlines.

April 2024 Deadline
Covered Entities were required to submit their 2023 annual compliance submissions by April 15, 2024. However, if the Covered Entities missed this deadline, they can still submit their annual compliance notifications through the DFS portal. It is important to remember, that the annual compliance submission must be signed by the highest-ranking executive and the Chief Information Security Officer (CISO), or the senior officer in charge of cybersecurity, if there is no CISO from that entity. Any Covered Entities that qualify for full exemption from the Cybersecurity Regulation do not have to submit annual compliance notifications. The DFS now has an Exemption Determination Tool on their website that will inform you if you are exempt as per Section 500.19(a), by inputting your entity’s information into the form. There is also a Class A determination Tool to inform entities if they classify for Class A status. These resources, along with others, can be found at the Department of Financial Services Cybersecurity Resource Center online.

There were also additional requirements relating to Risk Assessments (Section 500.9), Cybersecurity Policies (Section 500.3), Cybersecurity Awareness Training (Section 500.14(a)(3)), and Vulnerability Management (Section 500.5(a)(1), (b), and (c)) that became effective in April 2024.

November 2024 Changes
As of November 1, 2024, there will be additional requirements under the amended Cybersecurity regulation that will apply to all Covered Entities, excluding those that are exempt. There will be changes to Cybersecurity Governance, Encryption of Nonpublic Information (NPI), and Incident Response and Business Continuity Management.

Cybersecurity Governance
CISO written reports to senior governing bodies will have to be updated to include plans regarding how to remedy material inadequacies. CISOs will also be required to make timely reports to senior governing body officers regarding any material cybersecurity issues or changes. Additionally, the entities’ senior governing bodies will be required to oversee cybersecurity risk management. See, Section 500.4.

Encryption of Nonpublic Information (NPI)
Covered Entities will be required to execute written policies that involve encryptions that meet industry standards. Entities will no longer be able to use alternative compensating controls for encryption of Non-Public Information (NPI) in transmission to external networks. However, compensating controls for encryption of NPI at rest may continue to be used if it receives written approval by the CISO. See Section 500.15.

Incident Response and Business Continuity Management
Incident response plans need to be updated as well. There must also be business continuity and disaster response plans in place, that are able to address cybersecurity related issues. Additionally, all employees involved in the plans’ implementations must be trained. Covered Entities must also regularly test plans with critical staff and make any necessary changes. Entities must also test the backups’ ability to restore critical data and information systems as well as maintain and protect backups necessary to restore material operations. Section 500.4.

DFS Cybersecurity Resource Center

Shirin Emami to Retire as Executive Deputy Superintendent of Banking for the Department of Financial Services

Please join us in offering our gratitude and well wishes to Shirin Emami, who is retiring from her role as the Executive Deputy Superintendent of Banking at the New York State Department of Financial Services. Shirin has been a steadfast leader and advocate for New York’s financial industries, particularly the credit union movement, for the past decade.

Her tenure has been marked by a collaborative spirit and an unwavering dedication to the financial well-being of New Yorkers. Shirin’s efforts have greatly enhanced regulatory frameworks and fostered a supportive environment for financial institutions across the state.

We celebrate Shirin’s contributions and the significant impact she has had on New York’s financial services community. Congratulations, Shirin, on your well-deserved retirement!

First Source FCU Recognized by the Community Choice Awards for Third Consecutive Year

First Source FCU has been awarded three honors at this year’s Community Choice Awards. For the third year in a row, it has been voted Best Credit Union, Best Mortgage Lender, and Best Place to Work. These awards are a testament to First Source FCU’s commitment to providing excellent service to its members and creating a great work environment for its employees.

The credit union expressed its gratitude, stating, “We are honored to be awarded 1st place in 3 categories in this year’s Community Choice Awards…Serving our Members is our privilege, and we’re committed to providing exceptional service and a rewarding work environment.”

The Community Choice Awards let local residents nominate and vote for their favorite local businesses, highlighting the best in the area. Winners are celebrated at an awards gala and featured in a special printed and online edition.

Congratulations to First Source FCU for your continued excellence in service and community involvement! See the full list of winners below.

Full List

Reminder: TruStage Discovery2024 is One Week Away!

TruStage’s Discover2024 virtual conference is happening next week on August 8th from 9 am to 4 pm CT! Don’t miss your chance to dive into the latest trends and innovations that are shaping the credit union movement. This free event will feature a series of informative sessions, including expert-led keynotes, engaging panels, and insightful spotlight breaks, all focused on topics like the economic outlook and digital transformation in financial services.

This is a fantastic opportunity to connect with thought leaders and gain new strategies to advance your credit union. For more details and to secure your spot, make sure to secure your spot today!

Info and Registration

Leave a Reply