On September 13, 2016, New York Governor Andrew Cuomo proposed first-of-their-kind rules that would require financial institutions to develop and implement detailed cybersecurity programs.1 The proposed rules would apply only to banks, insurers, and other financial service providers regulated by the New York Department of Financial Services (DFS),2 though experts say other states and even the federal government may soon respond with similar regulations.3

Governor Cuomo stated that "[t]his regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible."4 The proposal follows a series of reports released by the DFS detailing the cyber threats that banks and insurers persistently face.5

The proposed rules would require DFS-regulated institutions to, among other things:

  • Implement a cybersecurity program which tracks and maintains data such that the institution can detect a misuse of or unauthorized access to its IT systems;
  • Develop detailed guidelines and procedures for responding to a security breach;
  • Limit access to non-public information on the institution's IT systems solely to those individuals who require access to perform their responsibilities, and require the institution to provide training to all such individuals on cybersecurity issues;
  • Monitor how third party vendors collect and store customer data; and
  • Employ cybersecurity personnel and designate a Chief Information Security Officer responsible for implementing and enforcing the company’s cybersecurity program.6

There is a 45-day comment period before the proposed rules go into effect.7 The proposed rules do not vary significantly from guidelines previously issued by many state and federal regulators, but those guidelines are often provided as recommendations rather than formal rules.8

Because of the high cost associated with implementing and maintaining sophisticated cybersecurity programs, the largest impact of the new rules will likely be on small banks and insurers, which tend not to have already established cybersecurity programs more commonly found at large financial institutions.9

Though it remains to be seen how strictly the DFS will enforce these rules, DFS Superintendent Maria Vullo stated, "Regulated entities will be held accountable and must annually certify compliance by assessing their specific risk profiles and designing programs that vigorously address those risks."10