Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, September 13, 2016

Cybersecurity regulation proposed for New York financial services companies

By J. Preston Carter, J.D., LL.M.

A proposed regulation would require New York banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of the state’s financial services industry. In a press release announcing the proposal, Governor Andrew M Cuomo called it a "first-in-the-nation" regulation that would protect New York State from the ever-growing threat of cyber-attacks.

"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises," said Cuomo. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."

fact sheet accompanying the announcement listed five core cybersecurity functions that each financial institution’s cybersecurity program must perform:

  1. identification of cyber risks;
  2. implementation of policies and procedures to protect unauthorized access/use or other malicious acts;
  3. detection of cybersecurity events;
  4. responsiveness to identified cybersecurity events to mitigate any negative events; and
  5. recovery from cybersecurity events and restoration of normal operations and services.

Regulated financial institutions must also:

  • adopt a written cybersecurity policy, setting forth policies and procedures for the protection of their information systems and nonpublic information;
  • designate a qualified individual to serve as Chief Information Security Officer, responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy; and
  • have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.

Prior to proposing the regulation, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry's efforts to prevent cybercrime, the Governor’s press release noted. The proposed regulation (23 NYCRR Part 500) is subject to a 45-day notice and public comment period before its final issuance.

MainStory: TopStory CyberPrivacyFeed IdentityTheft NewYorkNews Privacy StateBankingLaws

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.