New York unveils final cybersecurity regulations
New rules take effect on March 1
Last year, the state of New York announced a series of sweeping regulations that require banks, insurance companies, and other financial services companies to significantly increase their cybersecurity programs in an effort to further protect consumers’ personal and financial information.
The rules are set to take effect on March 1, 2017, and now, with less than two weeks until the rules take effect, New York is releasing the final version of the regulations.
On Thursday, the office of New York Gov. Andrew Cuomo and the New York Department of Financial Services unveiled the final cybersecurity regulations, which can be found here.
According to Cuomo’s office, the final risk-based regulation includes “certain regulatory minimum standards while encouraging firms to keep pace with technological advances.”
The new rules stipulate that companies must enact:
- Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization
- Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing
- Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events
- Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS
“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” Cuomo said. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”
NYDFS Superintendent Maria Vullo added that the rules will help to keep financial institutions and their customers safe.
“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” Vullo said. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks.”
Click here to read the final rules.