Author: Ryan J. Cooper

Sweeping Cybersecurity Regulations Proposed for All NY Financial Services Businesses

The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program. The regulations impose significant minimum cybersecurity requirements, and mandate board of director involvement and accountability. Covered businesses should immediately evaluate their existing cybersecurity programs against the NYDFS regulations and begin to develop a plan for full compliance.

What Businesses are Covered?

The NYDFS is a relatively recent amalgamation of New York’s banking and insurance departments and is sweeping in its jurisdiction. The proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law.

While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. (NYDFS supervised businesses are discussed here.)

There are limited exceptions for those covered businesses that meet all three of the following:
• fewer than 1000 customers in each of the last three calendar years;
• less than $5 million in gross annual revenue for each of the last three years; and,
• less than $10 million in year-end total assets (including all affiliates) as calculated in accordance with GAAP.

The Proposed Regulations

The regulations require that covered businesses develop comprehensive cybersecurity policies and plans that meet dozens of specific and technical requirements listed in the regulations.

Read More


Retailers Exposed Again When Oracle’s MICROS POS Systems Breached

Oracle’s MICROS, one of the top three global point-of-sale vendors, may have been breached by a Russian organized crime group know for targeting banks and retailers. Cybersecurity journalist and researcher Brian Krebs reported on the potential MICROS breach this afternoon in a report on a larger breach of Oracle Corp’s computer systems.  Per Krebs’ report:

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

Experts believe the breach may allow the hackers to remotely install malware of retailer’s point-of-sale systems to capture data from each card swiped at the cash register.

Retailers with MICROS as their POS vendor should immediately investigate the integrity of their POS systems and their MICROS account. If malware is suspected on your POS systems, cybersecurity experts can mitigate and remediate the potential data breach and theft of your customers’ credit card information.

Retailers who suspect malware on their POS systems must also act promptly to limit and mitigate their legal exposure to card-issuers, consumers, and state and federal regulators, among others. Important to mitigating potential liability is the prompt investigation and notice of any potential insurance policies that may cover losses related to a data breach. In particular, retailers with cyber-insurance policies may have coverage for the expense of investigating and remediating a breach of their POS system regardless of whether there is subsequent liability to third-parties.


Law Office of Ryan J. Cooper LLC | 600 Linden Place Cranford, NJ 07016 | 732.485.1455