New York’s New Cybersecurity Regulation to be Enforced in March

NYC new york

New York’s new cybersecurity regulation will be enforced on March 1, enforcing new norms and requirements upon the insurance and banking sectors as the state aims to better protect institutions and consumers against breaches and cyberattacks.

The controversial and often-debated regulation is, according to New York Governor Andrew M. Cuomo, the first of its kind to be adopted and enforced by any U.S. state.

In statements, Governor Cuomo said:

New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.

Among the list of regularity requirements, there are mandates that require financial and insurance institutions to retain a CISO, implement multifactor authentication and report cybersecurity incidents within 72 hours of the incident.

A number of requirements now mandated by the new regulation have already been adopted by larger financial institutions. Examples include developing an in-house cybersecurity plan and program, business continuity protocols in the event of an attack, a written policy that clearly addresses critical functions including access controls, asset inventory and data governance.

Further, the CISO is required to send a report to the organization’s board of directors at an annual-basis, minimally.

An organization’s cybersecurity program is required to include a periodic risk assessment. Annual penetration tests will have to be enforced to test the cybersecurity infrastructure. Further, the new regulation mandates that transmitted data will have to be encrypted. Unsurprisingly, organizations will also be required to develop a written incident response plan.

Relevant companies in New York will be required to submit a statement to the state’s Superintendent of Financial Services by February 15, each year, to certify compliance.

The initial proposed regulation was put forth in September 2016 by the Department of Financial Services. A 30-day comment period followed after its publication, with industry participants weighing in with suggestions. For instance, a sweeping definition of what constituted ‘non-public information’ was amended by the DFS after input from private industry.

While the regulation takes effect on March 1, organizations will still have 180 days to comply with the new rules. Some organizations will have up to two years to adhere to compliance due to built-in grace periods while smaller organizations will be allowed to apply for exemptions.

“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” stated New York State Department of Financial Services Superintendent Maria T. Vullo.

The final regulation, in full, is available here.