On September 13, 2016, the New York State Department of Financial Services proposed regulations requiring banks, insurance companies and other NYDFS-regulated institutions to promptly adopt a cybersecurity program and setting forth certain minimum standards with respect to such program. As part of the establishment of a cybersecurity program, each covered entity would be required to, among other things, adopt a written cybersecurity policy, designate a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties. Institutions would also be required to comply with additional requirements in order to protect the confidentiality, integrity and availability of information systems. The proposed regulations would also require senior management of covered entities to file an annual certification confirming compliance with the regulations, beginning in January 2018.
The NYDFS notes that while these regulatory minimum standards are warranted, it is not the intention that such standards be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. The proposed regulations are subject to a 45-day notice and public comment period before their final issuance.
The proposed regulations are available at: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.