On September 13, 2016, Governor Andrew Cuomo proposed a new Cybersecurity Regulation to Protect Consumers and Financial Institutions. The first-in-the-nation proposal aims to protect consumer data and financial systems from cyber-attacks of terrorist organizations and other criminal enterprises.
The Regulation requires banks, insurance companies, and other financial services institutions to maintain a cybersecurity program designed to protect consumers and New York State’s financial services industry.
The proposed Regulation is subject to a 45-day notice and public comment period before its final issuance.
Once the Regulation is issued, all regulated financial institutions must:
- establish a cybersecurity program able to (i) identify cyber risks; (ii) implement policies protecting unauthorized access; (iii) detect cybersecurity events; (iv) respond to identified events; (v) recover and normalize after such events;
- adopt a written cybersecurity policy addressing several points, among which, information security, data governance and classification, access and identity management, physical security, customer data privacy, third-party service provider management, risk assessment, and incident response;
- designate a Chief Information Security Officer (CISO) “responsible for implementing, overseeing and enforcing its new program and policy”;
- ensure the security of information systems and nonpublic information accessible to, or held by, third-party service providers.
In addition, the proposed Cybersecurity Regulation sets forth a variety of other requirements to protect the confidentiality, integrity and availability of information systems, such as, for example, annual risk assessment, employees’ training, retention policies, encryption requirements, and incidents response plans.
More information on the proposed Cybersecurity Regulation is available at https://www.governor.ny.gov…
The text of the Cybersecurity Requirements for Financial Services Companies is available at http://www.dfs.ny.gov… Open PDF
Originally published on Technethics on September 15, 2016