On September 12, New York Governor Andrew Cuomo broke new ground in proposing a state-level regulation that would require banks, insurance companies, and other financial services entities regulated by the New York Department of Financial Services (“NYDFS”) to establish formal cybersecurity programs.
Having a written cybersecurity policy and a designated chief information security officer responsible for overseeing a company’s cybersecurity program are only two of the requirements imposed by the proposed regulation. The proposed regulation specifies a number of minimum standards. For instance, a regulated entity’s written cybersecurity policy is expected to address, “at a minimum,” 14 different topic areas ranging from incident response to customer data privacy. It also requires that regulated entities notify NYDFS of any “material” breach 72 hours after identifying it and mandates that financial services institutions undergo an annual risk assessment and penetration testing.
The proposal comes in the wake of the SEC’s and other federal financial services regulators’ increased focus on the financial industry’s cybersecurity practices, including the SEC’s Office of Compliance Inspections and Examination’s ongoing “cyber initiative.” Prior to proposing the new regulation, the NYDFS signaled its intent and surveyed nearly 200 regulated financial services institutions to better understand the industry’s efforts to combat cybercrime. Those surveys culminated in “Reports on Cyber Security” for the banking sector, the insurance sector, and on third-party service providers within the banking sector, which ultimately informed NYDFS’s rulemaking process.
In its announcement, the Governor’s office explained that the minimum standards included in the proposed regulation are intended to “maintain flexibility” in the industry” so that the final rule does not limit industry innovation.” That being said, compliance with the regulation, once it is finalized, would at the least require regulated entities to take steps to confirm that their current cybersecurity programs align with this new layer of requirements.
The proposed regulation is subject to a 45-day notice and public comment period once it is published to the New York State Register.