New York’s Department of Financial Services On Tuesday issued a new set of proposed regulations on cybersecurity. The proposed regulations would require banks and insurance companies to establish cybersecurity programs and assign an internal cybersecurity officer.
New York Governor Andrew Cuomo described the move as the first of its kind in the United States by any state or federal agency. State-chartered, FDIC-insured banks are supervised for cybersecurity at the federal level, but at the state level, New York’s actions can set precedents for other state regulators.
Banks would be required to hire a chief information security officer and implement measures that detect and deter cyber intrusions and protect consumer data.
Each company would be required to assess its specific risk profile and design a program that addresses its risks in a “robust fashion.” Senior management would be responsible for their organization’s cybersecurity program, and would have to file an annual certification confirming compliance with these regulations.
The proposed regulations also contain a requirement that banks notify New York’s Department of Financial Services of any material data breach within 72 hours of the event.
The proposed rules come after some of the world’s biggest banks have reported significant cyber intrusions. U.S. corporations in general have been frequent targets of hackers.
Other requirements include annual penetration testing, periodic reviews of access privileges, annual risk assessments and multi-factor authentication for accessing internal systems, among others.
The proposed regulation is subject to a 45-day notice and public comment period before final adoption.