A proposed regulation would require New York banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of the state’s financial services industry. In a press release announcing the proposal, Governor Andrew M Cuomo called it a "first-in-the-nation" regulation that would protect New York State from the ever-growing threat of cyber-attacks.
"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises," said Cuomo. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
A fact sheet accompanying the announcement listed five core cybersecurity functions that each financial institution’s cybersecurity program must perform:
1. |
identification of cyber risks;
|
2. |
implementation of policies and procedures to protect unauthorized access/use or other malicious acts;
|
3. |
detection of cybersecurity events;
|
4. |
responsiveness to identified cybersecurity events to mitigate any negative events; and
|
5. |
recovery from cybersecurity events and restoration of normal operations and services.
|
Regulated financial institutions must also:
- adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems and nonpublic information;
- designate a qualified individual to serve as Chief Information Security Officer, responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy; and
- have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.
Prior to proposing the regulation, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry's efforts to prevent cybercrime, the Governor’s press release noted. The proposed regulation (23 NYCRR Part 500) is subject to a 45-day notice and public comment period before its final issuance.
For more information about cybersecurity for financial services institutions, subscribe to the Banking and Finance Law Daily.