New York recently announced new proposed regulations aimed at bolstering cybersecurity protections in the financial services industry. The regulations would require banks, insurance companies, and other financial institutions that are regulated by the New York State Department of Financial Services to establish and maintain a cybersecurity program, including designating a Chief Security Officer, adopting a written cybersecurity policy, and implementing new procedures to ensure the security of information systems. Required cybersecurity measures would include an incident response plan, multi-factor authentication for individuals with access to internal systems, encryption of all nonpublic information held or transmitted, and an audit trail system. The proposed regulations would also affect third parties with access to a regulated entity's information systems and nonpublic information, as regulated entities would be required to conduct due diligence on, monitor, and require minimum cybersecurity practices from those third parties. The proposal is subject to a 45-day notice and public comment period before becoming final; if issued, the regulations will go into effect in January 2017. The press release from Governor Cuomo's office and a state-issued summary of the proposed regulations are available here and here, and the full text of the proposed regulations is available here. For further information on NY's proposed regulations, see Arnold & Porter's Advisory.