Governor Andrew M. Cuomo announced today the first-in-the-nation cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks will take effect on March 1, 2017. The New York State Department of Financial Services (NYDFS) carefully considered all comments submitted during a 45-day comment period following the publication of the proposed regulation in September 2016 and a 30-day comment period following the publication of the updated proposed regulation in December 2016. Suggestions that NYDFS deemed appropriate were incorporated in the final regulation.
The final regulation requires banks, insurance companies, and other financial services institutions regulated by the NYDFS (Covered Entities) to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.
The cybersecurity programs must be adequately funded and staffed, overseen by qualified management and reported on periodically to the most senior governing body of the organization. The regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. The new regulation provides important protections to prevent and avoid cyber breaches, including:
- Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
- Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
- Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to NYDFS of material events; and
- Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to NYDFS.
Covered Entities will be required to annually prepare and submit to the Superintendent of Financial Services a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations commencing February 15, 2018.