North Dakota Governor Signs Cybersecurity Governance Law For Financial Institutions

Published: 2025-05-14 04:11:27 ET FISI

Published on 05/14/2025 at 04:11

On April 11, 2025, North Dakota Governor Kelly Armstrong signed HB 1127 (the Act) into law.

The Act, which takes effect on August 1, 2025, establishes new data security requirements for certain financial institutions and nonbanking financial service providers. In addition, the Act amends multiple sections related to financial institution licensing and oversight.

Which Financial Institutions are Regulated?

The Act regulates "financial corporations" and certain "financial institutions" (together, "Covered Organizations"). Specifically, the Act regulates mortgage lenders, debt collection agencies, debt settlement providers, money brokers, and payday lenders; banks, credit unions and other organizations regulated by the North Dakota Department of Financial Institutions are explicitly exempted.

What is Required under the Act?

The Act creates a new set of requirements for Covered Organizations with respect to development and maintenance of information security programs. These requirements include:

Governance Structure

Risk Assessment

Safeguards

Personnel and Service Provider Management

What Happens if there is a Security Breach?

Within 45 days after discovery of a security breach impacting 500 or more individuals, Covered Organizations must notify the North Dakota Department of Financial Institutions. A security breach is "discovered" as of the first day the event is known to the Covered Organization, including when the event is known to any employee, officer, or other agent of the Covered Organization. Unlike most state notification laws, the Act does not limit reporting duties to impacted state residents; instead, any individual consumer whose information has been impacted counts towards the reporting requirement.

Penalties and Fines

Although a private right of action does not exist under the Act, the North Dakota Department of Financial Institutions has the power to levy financial penalties and other regulatory actions. This includes issuance of cease-and-desist orders and fees of up to $100,000 per violation, as well as a daily $1,000 penalty for each day a violation continues after service of an order. In some cases, the Department of Financial Institutions can suspend a Covered Organization's license or revoke it completely. In addition, any executive or employee found individually responsible for violations can be removed from their positions by the Department of Financial Institutions.

What's Next?

Although the Act does not take effect until August 1, 2025, Covered Organizations will require time to ensure its information security programs meet the new heightened standard. The Act does not provide any delay in enforcement, so Covered Organizations should begin conducting gap analyses immediately to identify where improvements need to be made. Because of the Act's similarities to the NYDFS Cyber Requirements, Covered Organizations can build upon lessons learned from NYDFS enforcement emphasizing the role of senior management in effective security programs, as well as the necessity of regular assessments and reporting.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mr Zachary Heck Taft Stettinius & Hollister 40 North Main Street Suite 1700 Dayton Ohio OH 45423-1029 UNITED STATES Tel: 614334 7102 Fax: 614334 7102 E-mail: [email protected] URL: www.taftlaw.com