On Tuesday, September 13, 2016, the New York Department of Financial Services unveiled new proposed cybersecurity regulations aimed at banks, insurers, and financial services companies, imposing a host of obligations on these organizations to implement policies and procedures to protect their computer systems and networks and all nonpublic data. These new regulations are among the most comprehensive and sweeping to be issued by any U.S. regulator to date. 

The regulations broadly cover any entity subject to New York’s banking law, insurance law, and financial services law. The regulations require organizations to adopt a written cybersecurity policy that lays out policies and procedures governing, among other things, information security and access control, business continuity and disaster planning, network security and monitoring, customer data privacy. The organization must also have specific policies outlining security procedures for information systems and private information accessible by third-party service providers, including minimum cybersecurity practice requirements for those third parties.

The regulations also impose specific requirements on organizations’ policies and procedures. These include annual penetration testing, periodic review of access privileges and security procedures, annual risk assessments, hiring of specific cybersecurity personnel, and ongoing training for all relevant employees and users. The proposed regulations also explicitly require the use of multi-factor authentication and encryption, and they require the timely destruction of nonpublic information. The regulations also require organizations to report any breaches that affect operations or that compromise nonpublic information within 72 hours of discovery to the Department of Financial Services—one of the shortest notice periods imposed by any regulator.

In addition, organizations must hire or designate a Chief Information Security Officer responsible for implementation, oversight, and enforcement of all cybersecurity policies. This Officer must report to the organization’s board of directors at least bi-annually on the cybersecurity policies and implementation, risks, and material breaches.

The proposed regulations will be officially published on September 28, 2016, which will be followed by a 45-day notice-and-comment period before their final issuance. Organizations have only 180 days after the regulations take effect to comply with most of the requirements.

The proposed regulations are available here.