Primary navigation
Feature image for Non-Depository Information Security and Incident Notification

Non-Depository Information Security and Incident Notification

    Minnesota’s Nonbank Data Security Law (Minnesota Statutes Chapter 46A), passed by the 2024 Minnesota Legislature, adopts a model law proposed by the Conference of State Bank Supervisors (CSBS). The law tracks the updated federal Safeguards Rule.

    NonBank Data Security Law [PDF]     Minnesota Statutes Chapter 46A

    Communications


    CSBS Cyber Hygiene Awareness Campaign for Financial Institutions

    CSBS has developed series of resources that will be shared throughout the upcoming year to promote the ongoing awareness of cyber hygiene for financial institutions.  These communications will be shared on this page via the links below.  Please check back periodically for new publications as they are released.

    Series 1 - Cyber Hygiene Actions Your Institution Should Take Today [pdf]
    Series 2 - End-of-Life Management & Multi-Factor Authentication [zip]

    Series 3 - Vulnerability & Patch Management / Event Logging & Threat Detection [zip]

    CISA - Safeguarding Our Critical Infrastructure

    The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence, released guidance to assist critical infrastructure owners and operators to detect and mitigate efforts by foreign intelligence entities to disrupt U.S. critical infrastructure. 

    Get a copy of the document here [PDF]

    Updated Nonbank Ransomware Self-Assessment Tool (R-SAT) – Available now!

    Download the updated Nonbank Ransomware Self-Assessment Tool (R-SAT) today to evaluate your institution’s cybersecurity posture. This critical and repeatable cybersecurity tool is easy to use, and designed to assist nonbank companies of all sizes assess their readiness for ransomware attacks.  This updated Nonbank R-SAT was developed collaboratively by CSBS, state bank examiners, the Bankers Electronic Task Force, and the U.S. Secret Service in response to the increasing cyber threat environment and evolutions in company control environments.

    Link to the updated Ransomware Self-Assessment Tool (R-SAT)

    Notification Event Reporting


    Minnesota’s Nonbank Data Security Law includes requirements for Minnesota- licensed nonbank financial institutions to report a notification event to the commissioner.

    The law applies to mortgage, money services and consumer finance entities licensed by the Department of Commerce and asks them to do three things: 

    • To develop and have an information security program.
    • To have an incident response plan to handle any security events (for those institutions with over 5,000 consumers).
    • To notify the Department of Commerce within 45 days when a cybersecurity event that affects more than 500 consumers has occurred. 

    Protecting the privacy of consumer data has been a priority for the Commerce Department and the CSBS.  Commerce continues to work with CSBS committees on additional policy ideas for consumer privacy protection. 


    Report a Cybersecurity Incident


    Commerce Department contact for Financial Institutions Information Security Program reporting: 

    Nicholas Jenson, Senior Examiner
    nicholas.jenson@state.mn.us
    651-539-1712


    Information Technology Resources


    back to top