Regulatory Cyber Alert: NYS-DFS Requires Consumer Reporting Agencies to Register and Comply with 23 NYCRR Part 201

July 2, 2018

On June 25, 2018, the New York State Department of Financial Services (NYS-DFS) issued a final regulation directed toward New York consumer credit reporting agencies. The regulation applies to agencies who reported on 1,000 or more New York consumers in the preceding year.

Per this regulation, “consumer reporting agencies” must:

  • Register with NYS-DFS on or before September 1, 2018
  • Comply with NYS-DFS cybersecurity “Part 500” rules on or before November 1, 2018

Once registered, agencies must comply with cybersecurity rules delineated in 23 NYCRR 500. NYS-DFS issued these requirements in response to what it sees as the failure of consumer credit reporting agencies in safeguarding consumer data or appropriately investigating disputes of inaccuracy. In general, it aims to increase consumer confidence in light of intensified cybersecurity threats.

Does this apply to portfolio companies?

While NYS-DFS 23 NYCRR 500 applies only to those financial firms for which the DFS is the licensing or regulatory authority (for example, investment advisers may be covered by the SEC, not DFS), the specifics of who it covers are not always clear. It can affect portfolio companies so we recommend consulting with counsel to determine if these deadlines and rules are applicable.

How ACA Can Help

ACA Aponix offers several solutions that can help Covered Entities comply with DFS NYCRR 500, including:

For More Information

If you have questions, please contact your regular ACA Aponix consultant or email us at