The New York State Department of Financial Services (NYSDFS) recently proposed new cybersecurity regulations for banks, insurance companies, and other financial institutions—the first regulations of their kind in the United States.
The proposed regulations require covered financial institutions—including all insurance companies doing business in New York and banks that are chartered there—to establish a cybersecurity program, adopt a cybersecurity policy, and appoint a chief information security officer. Additional requirements include, among many others, annual risk and vulnerability assessments, encryption of non-public data, and a written incident response plan. Institutions must also notify NYSDFS within 72 hours of a possible breach and implement cybersecurity awareness training programs for employees. Further, covered institutions must ensure that any companies with whom they do business have sufficient cybersecurity controls in place, meaning vendors who work with large financial institutions will need to rethink their data security measures in light of the NYSDFS regulations.
The proposed regulations are subject to a forty-five day public comment period, could take effect as soon as January 1, 2017, and may impact more than 4,000 organizations. Given the numerous compliance requirements, institutions subject to NYSDFS regulations should start planning now. Additionally, although the NYSDFS regulations are the first of their kind, financial institutions in Pennsylvania and elsewhere should be aware that other states may propose similar regulations in the future.
