New York state is proposing new rules requiring banks and insurance companies to establish cybersecurity programs and designate an internal cybersecurity officer, in what Gov. Andrew Cuomo described as a “first-in-the-nation” move to codify cyber safety policies.
The new regulations, proposed by New York's Department of Financial Services, will apply only to banks and other financial services companies licensed by the state and not to nationally chartered institutions. But as the first regulator to issue guidelines involving cybersecurity, the DFS could set an example for other regulators at the state and federal level. The proposed regulation is subject to a 45-day notice and public comment period before adoption.
The proposed rules come after some of the world's biggest banks — including J.P. Morgan Chase and HSBC Group — have reported significant cyber intrusions and U.S. corporations in general have been frequent targets of hacking.
Large banks and insurance companies have built their own cybersecurity programs in recent years, often costing hundreds of millions of dollars. The biggest impact of the new regulations is likely to be on small banks and insurers, which might need to bring their cyber programs up to at least a minimum standard.
In announcing the proposals, Mr. Cuomo said the regulations would “guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”
DFS Superintendent Maria Vullo said: “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”