On September 13, 2016, New York Governor Andrew Cuomo announced that a first-of-its kind cybersecurity regulation has been proposed by the New York State Department of Financial Services (DFS) to further protect New York State from data breaches and cyberattacks.
The proposed regulation requires DFS-regulated financial services institutions, including, but not limited to, banks, insurance companies, money service businesses and regulated virtual currency operators, to do the following:
Governor Cuomo said that "[t]his regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
The proposed regulation is subject to a 45-day notice and public comment period before its final issuance. The majority of the requirements in the proposed regulation are already suggested by the Federal Financial Institutions Examination Council, a panel of regulators including the Federal Deposit Insurance Corp., the Federal Reserve and the Office of the Comptroller of the Currency.
As this proposed regulation makes clear, New York State is becoming increasingly serious about imposing and enforcing requirements of financial institutions to ensure they are taking proper measures to protect New York State from data breaches and cyberattacks.
The full proposed regulation can be accessed at: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.