On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require banks, insurance companies and other financial services institutions to establish and maintain a cybersecurity program designed to ensure the safety of New York’s financial services industry and to protect New York State from the threat of cyber attacks.

The proposed regulation requires regulated financial institutions to take various actions, including:

  • adopting a written cybersecurity policy;
  • establishing a cybersecurity program;
  • designating a Chief Information Security Officer to oversee and enforce its new program and policy; and
  • implementing policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

The proposed regulation is subject to a 45-day notice and public comment period. If adopted, this will be the first regulation of its kind in the U.S.