State Regulatory Developments

MN Adds Information Security Program Requirement, Amends Mortgage Licensing Law

Minnesota recently made several statutory changes affecting financial institutions, including a requirement for financial institutions (excluding credit unions and federally-insured depository institutions) to have a comprehensive information security program, and amendments to the state’s mortgage licensing law.

The required comprehensive information security program (the Program) must include the following elements: (i) designation of a qualified individual to oversee, implement, and enforce the Program; (ii) be based on a risk assessment, as specified further in the law; (iii) design and implementation of safeguards to control for the risks identified by that risk assessment; (iv) monitoring or testing of the key controls, systems, and procedures regularly; (v) policies and procedures regarding security awareness training for personnel and having qualified personnel that can enact the Program; (vi) proper oversight of service providers, including periodic assessments of the providers’ safeguards and contractually requiring that the providers’ maintain appropriate safeguards; (vii) make adjustments to the Program due to such events as material business changes and results of Program testing and monitoring; (viii) establish a written incident response plan; (ix) qualified individual must annually provide a written report including certain specific information detailed in the law to the financial institution’s board or governing body; and (x) establish a written business continuity and disaster recovery plan.  The law also includes a requirement that “notification events” (defined, in part, as “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains”) that include information of at least 500 consumers must be reported to the commissioner without undue delay – not later than 45 days after discovery of the event.

The mortgage licensing law amendments include exempting certain bona fide nonprofits from licensing, amending which exempt persons under the law must apply for a certificate of exemption, adding a section on background checks, and increasing surety bond requirements.