In a letter to federal and state financial institution regulators dated November 9, 2015, the New York State Department of Financial Services (NYDFS) put forth a proposal for new cybersecurity regulations for financial institutions. The proposal is the result of a two-year investigation by the NYDFS into the current cybersecurity programs and practices of hundreds of banking organizations and insurers (the reports of those investigations are available here, here, and here). Among other data protection methodologies, the proposal would require multi-factor authentication for access to any internal data systems from an external network and new audit procedures. It would also set minimum standards for ensuring the security of sensitive data held by third-party service providers and require notification of "any cyber security incident that has a reasonable likelihood of materially affecting the normal operation of the entity." Further, the proposal would require each covered entity to maintain and implement written cybersecurity policies and procedures and to appoint a Chief Information Security Officer -- among other cybersecurity personnel -- to manage the entity's cybersecurity program. The NYDFS is soliciting feedback from eighteen state and federal regulatory organizations and hopes to use that input to develop comprehensive regulations in the coming months. The full text of the letter is available here.