Banking and Finance Law Daily Cybersecurity regulation proposed for New York financial services companies
Tuesday, September 13, 2016

Cybersecurity regulation proposed for New York financial services companies

By J. Preston Carter, J.D., LL.M.

A proposed regulation would require New York banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of the state’s financial services industry. In a press release announcing the proposal, Governor Andrew M Cuomo called it a "first-in-the-nation" regulation that would protect New York State from the ever-growing threat of cyber-attacks.

"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises," said Cuomo. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."

fact sheet accompanying the announcement listed five core cybersecurity functions that each financial institution’s cybersecurity program must perform:

  1. identification of cyber risks;
  2. implementation of policies and procedures to protect unauthorized access/use or other malicious acts;
  3. detection of cybersecurity events;
  4. responsiveness to identified cybersecurity events to mitigate any negative events; and
  5. recovery from cybersecurity events and restoration of normal operations and services.

Regulated financial institutions must also:

  • adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems and nonpublic information;
  • designate a qualified individual to serve as Chief Information Security Officer, responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy; and
  • have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.

Prior to proposing the regulation, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry's efforts to prevent cybercrime, the Governor’s press release noted. The proposed regulation (23 NYCRR Part 500) is subject to a 45-day notice and public comment period before its final issuance.

MainStory: TopStory CyberPrivacyFeed IdentityTheft NewYorkNews Privacy StateBankingLaws

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Banking and Finance Law Daily

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More