In an unprecedented effort to protect New York State’s financial services industry from cyber threats, Governor Andrew M. Cuomo announced a proposed regulation that requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services (DFS) to establish and maintain a cybersecurity program to protect consumers and New York State’s financial services industry.

The landmark proposed regulation is subject to a 45-day notice and public comment period before its final issuance. Requirements of the proposed regulation for financial institutions include:

  • Establishment of a cybersecurity program
  • Adoption of a written cybersecurity policy
  • Designation of a chief information security officer responsible for the program and policy
  • Creation of policies and procedures designed for the security of information systems and non-public information accessible to, or held by, third parties.

The DFS has published the details of the “Proposed Cybersecurity Requirements for Financial Service Companies” on its website.

Recognizing the dynamics of the swiftly evolving cyber industry, the proposed regulation includes minimum standards while maintaining flexibility so that the rule does not become unduly restrictive as technology advances.

DFS’s proposal to raise the cybersecurity standards for financial institutions comes at a time when the increasing cyber risk posed by hackers, employees, criminals and a host of other actors has received significant media attention. In an effort to protect its financial services industry from unauthorized intruders, New York is seeking to impose more rigorous standards on the industry, which is viewed as a significant target for cyber threats.

To ensure that these new programs and policies are not simply adopted without proper implementation, New York is proposing an additional requirement that mandates cybersecurity awareness training for all personnel, an appropriate document retention/destruction policy for nonpublic information when it is no longer required and an incident response plan to respond to any cybersecurity event.

Although New York’s financial services industry may be the first to be held to the proposed heightened standards, it almost certainly won’t be the last, as other states and industries will likely follow suit to protect consumers and financial institutions from an ever-increasing cyber threat.