The New York State Department of Financial Services proposed comprehensive cybersecurity requirements for banks, insurance companies and other financial institutions regulated by the DFS. Among other things, such covered institutions would be required to adopt a formal cybersecurity program to protect their information systems which would be broadly defined to not only include a firm’s “resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information,” but also any specialized systems “such as industrial/process control systems, telephone switching and private branch exchange systems, and environmental control systems.” A covered institution’s cybersecurity program must “perform” certain mandatory functions including identifying internal and external cyber risks related to nonpublic information; using defensive infrastructures and implementing policies and procedures to protect the firm’s information systems and nonpublic information; detecting and responding to cybersecurity events to mitigate any detrimental impacts; recovering from cybersecurity events; and fulfilling all reporting obligations. Covered institutions must appoint an individual as the chief information security officer with certain enumerated responsibilities, including preparing a written report twice a year assessing the covered entity’s cybersecurity program. However, the proposed rules contemplate that a third party may perform the CISO function. The proposed rules also contain detailed requirements for covered entities to ensure the security of information systems and nonpublic information that may be accessible by third parties doing business with a covered entity. Comments on the proposed rules will be accepted for 45 days following their publication in the New York State Register. The proposed rules are scheduled to be effective January 1, 2017, with a 180-day transition period.