In September 2016, New York Governor Andrew Cuomo announced a proposed regulation that will require financial institutions to establish cybersecurity programs. With close to 700 institutions with over $3.1 billion in assets subject to its supervision, the New York State Department of Financial Services has a much broader scope than most people realize. New York State Department of Financial Services, 2015 Annual Report, p. 21. http://www.dfs.ny.gov/reportpub/annual/dfs_annualrpt_2015.pdf.
The regulation takes a prescriptive approach—unlike the risk-based approach of other regulations and standards—requiring covered entities to
- establish a cybersecurity program;
- adopt a written cybersecurity policy;
- appoint a chief information security officer (CISO);
- establish policies and procedures that ensure the institutions' security while using third-party service providers, including the use of contractual provisions;
- undergo annual penetration testing and vulnerability assessments;
- implement audit trails and logging procedures;
- limit and review access privileges;
- maintain application security procedures;
- undergo annual risk assessments;
- employ and train cybersecurity staff;
- implement multifactor authorization;
- destroy all nonpublic information (as defined by the regulation) that is no longer needed in a timely fashion;
- monitor and train all authorized users;
- encrypt nonpublic information at rest and in transit; and
- develop a written incident response plan.
(The regulation’s definition of a “covered entity” includes “any individual, partnership, corporation, association or any other entity” “operating under or required to operate under…the banking law, the insurance law or the financial services law” of New York.)
The regulation was published in the New York Register on September 28, 2016, and is currently subject to a 45-day notice and public comment period, which will end on November 12, 2016. The regulation will take effect on January 1, 2017.