New York State announced a new cybersecurity regulation to protect the state’s financial services industry and consumers from threat of cyber attacks that will take effect on March 1.
The rule requires banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (DFS) to establish a program to protect consumers’ private data.
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber attacks,” New York Gov. Andrew Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
The cybersecurity programs must be adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization. Minimum standards for technology systems include access controls, data protection including encryption, and penetration testing. Also, programs must have an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events.
“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information. As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attack,” New York State DFS Superintendent Maria Vullo said.
As part of their program, companies must also identify and document material deficiencies, draft remediation plans, and get annual certifications of regulatory compliance.
“As Manhattan District Attorney, I know that defeating cybercrime requires not only prosecuting it, but taking necessary actions to prevent it. DFS’s cybersecurity regulation will be a crucial tool in the ongoing battle against cyber-crime and identity theft by mandating that New York’s financial services industries adopt and put in place robust and appropriate controls to detect, thwart and report cyber incidents,” Manhattan District Attorney Cyrus Vance, Jr., said.
DFS considered all comments submitted during two different comment periods late last year. Suggestions that DFS deemed appropriate were incorporated in the final regulation. The regulation will become effective upon publication in the New York State Register on March 1.