New Cybersecurity Rules on the Way in New York
The New York State Department of Financial Services (NYDFS) has proposed new regulations designed to protect against the rising threat of cybercrime targeting financial systems and consumer data. New York Governor Andrew Cuomo unveiled the plan, which would require banks, insurance companies and other financial services providers regulated by the NYDFS to establish a cybersecurity plan that meets standards set by the agency. Regulated institutions would be required to: adopt a written cybersecurity policy; designate a chief information security officer responsible for implementing and overseeing cybersecurity programs and policies; and establish procedures to ensure the security of information systems and nonpublic information accessible to, or held by, third parties. The proposed regulation will be published in the New York State Register on Sept. 28, 2016, after which it will be subject to a 45-day public comment period.
“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks and other criminal enterprises,” Cuomo said in a statement. “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
Prior to proposing the new regulation, NYDFS canvassed nearly 200 regulated banks and insurance companies to get insight into existing cybersecurity policies and procedures. The agency also met with cybersecurity experts to discuss emerging cybercrime trends and risks, as well as due diligence processes, policies and procedures governing relationships with third-party vendors. The finding from those consultations were published in a series of reports, which helped to inform the rulemaking process, NYDFS said.