New York Considers Legislation Imposing Significant Regulatory and Cybersecurity Requirements on Non-Bank Lenders
On January 6, 2021, legislation was introduced in the New York State Senate that would require any person or entity that lends any amount of money of less than $500,000 to any business entity in New York to be licensed and regulated by the New York Department of Financial Services (NYDFS).1 If the legislation were to be enacted, covered non-bank lenders would be subject to the comprehensive NYDFS cybersecurity regulation governing all entities licensed and regulated by NYDFS.
Regardless of whether or not the proposed legislation is enacted, non-bank lenders currently unregulated by NYDFS may consider bringing their operations into compliance with the NYDFS cybersecurity regulation in order to be ahead of the curve in the event the legislation passes. Even in the absence of a formal enactment, its proposed cybersecurity requirements can be considered as codification of the prevailing standard of best practices in the financial industry. Thus, implementing those cybersecurity controls on a voluntary basis may provide a defense against litigation in the event of a cybersecurity incident.
Specifically, the legislation would require any person, who among other things, offers or extends to a business secured or less unsecured loans or lines of credit of $500,000 or less, to obtain a license from NYDFS.2 The legislation only exempts banks, credit unions, insurance companies, persons or entities who make or solicit five or fewer commercial products within a 12-month period and exempts transactions specifically regulated by Article 9-B of the New York banking code by entities already required to be licensed under other New York statutes.3
If enacted, the legislation would, among other things, subject most non-bank lenders lending money to businesses in New York to NYDFS regulations, including the NYDFS cybersecurity regulations. Such regulations require all covered entities to adopt at least the following cybersecurity controls:
- Implement and update comprehensive cybersecurity programs and policies based on risk assessments that govern key elements of operations including customer data privacy, access controls, and third party management
- Appoint a Chief Information Security Officer (CISO)
- Encrypt nonpublic information if feasible
- Conduct annual penetration testing and biannual vulnerability assessments