New York became the first state to require banks, insurance companies, and other financial services institutions to create and maintain cybersecurity programs.
Gov. Andrew Cuomo on Sept. 13 issued the regulations, which require financial services institutions to adopt a written cybersecurity policy, hire a chief information security officer (CISO), conduct annual penetration assessments, and ensure the security of information that can be accessed by third parties. The public has 45 days to comment on the regulation before its final issuance.
“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Cuomo in a press relase. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”
The New York State Department of Financial Services (DFS) surveyed 200 banks and insurance companies to gain insight into their cybersecurity posture. DFS also met with representatives from companies and cyber experts to discuss policy, programs, and emerging risk trends.
“Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with,” said Maria Vullo, DFS superintendent. “DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”