New York proposes strict cybersecurity regulations on financial institutions and insurers

On September 13, the New York Department of Financial Services (DFS) proposed demanding cybersecurity regulations for financial institutions and insurers. The proposed regulations incorporate ideas from federal regulations like the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity as well as move toward European Laws. Most major financial institutions and insurers already have similar measures in place.

The proposed regulations require all state-regulated banks and insurers to annually assess their cyber vulnerabilities as well as develop data and system protection policies and immediate security breach response plans. Each entity would have to designate a chief information security officer (CISO) who is responsible for biannually submitting a report to the board of directors on the effectiveness of the cybersecurity policy.

The regulations would require companies to have thorough written cybersecurity policies that a board of directors must review and a senior office must sign off on. Entities would be required to annually submit to the DFS a certification of compliance and would have 72 hours to notify DFS of “any material risk of imminent harm relating to its cybersecurity program.”

If enacted, the regulations could have immediate and long-term implications in and out of New York. Similar to the recently enacted Privacy Shield between the European Union and the U.S., Section 500.11 of the DFS proposal requires that any contracted third-party vendors with access to the covered entities’ information systems or non-public information utilize similarly stringent cybersecurity policies. This necessarily brings data protection to the forefront of contract negotiations between covered entities and their service providers and, as a result, could have the effect of promoting strong cybersecurity across various industries.

However, the regulations could have serious cost and resource effects on smaller and midsized companies. Compliance—especially if entities do not already have a cybersecurity routine in place—will likely prove to be a challenge.

A 45-day public comment period began September 28, 2016. The proposed regulations will take effect on January 1, 2017. Covered entities will have 180 days to comply. The full text of the proposed regulations can be found here.