Non-Depository Information Security and Incident Notification
Minnesota’s Nonbank Data Security Law (Minnesota Statutes Chapter 46A), passed by the 2024 Minnesota Legislature, adopts a model law proposed by the Conference of State Bank Supervisors (CSBS). The law tracks the updated federal Safeguards Rule.
NonBank Data Security Law [PDF] MN 46A StatuteCommunications
CSBS - Cyber Hygiene Actions Your Institution Should Take Today
CSBS has developed a memo, which provides a brief overview of ransomware and geopolitical risks and promotes several cyber hygiene practices that banking institutions should implement to mitigate these risks. As these practices and risks apply to non-depository institutions as well, this communication has been updated for non-depository institutions as fundamental cyber hygiene practices are extremely effective at mitigating the risk of cyber-attacks. The CSBS memo to banking institutions represents the first in a series of resources that will be shared throughout the upcoming year to promote ongoing awareness and further encourage implementation of these practices. As appropriate, these communications will be reviewed and shared for non-depository institutions on this page.
Get a copy of the document here [PDF]
CISA - Safeguarding Our Critical Infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence, released guidance to assist critical infrastructure owners and operators to detect and mitigate efforts by foreign intelligence entities to disrupt U.S. critical infrastructure.
Get a copy of the document here [PDF]
Updated Nonbank Ransomware Self-Assessment Tool (R-SAT) – Available now!
Download the updated Nonbank Ransomware Self-Assessment Tool (R-SAT) today to evaluate your institution’s cybersecurity posture. This critical and repeatable cybersecurity tool is easy to use, and designed to assist nonbank companies of all sizes assess their readiness for ransomware attacks. This updated Nonbank R-SAT was developed collaboratively by CSBS, state bank examiners, the Bankers Electronic Task Force, and the U.S. Secret Service in response to the increasing cyber threat environment and evolutions in company control environments.
Link to the updated Ransomware Self-Assessment Tool (R-SAT)
Notification Event Reporting
Minnesota’s Nonbank Data Security Law includes requirements for Minnesota- licensed nonbank financial institutions to report a notification event to the commissioner.
The law applies to mortgage, money services and consumer finance entities licensed by the Department of Commerce and asks them to do three things:
- To develop and have an information security program.
- To have an incident response plan to handle any security events (for those institutions with over 5,000 consumers).
- To notify the Department of Commerce within 45 days when a cybersecurity event that affects more than 500 consumers has occurred.
Protecting the privacy of consumer data has been a priority for the Commerce Department and the CSBS. Commerce continues to work with CSBS committees on additional policy ideas for consumer privacy protection.
Report a Cybersecurity Incident
Commerce Department contact for Financial Institutions Information Security Program reporting:
Nicholas Jenson, Senior Examiner
nicholas.jenson@state.mn.us
651-539-1712