Financial services firms overseen by the New York State Department of Financial Services will be required to have cybersecurity programs and policies in place by March 1 under a regulation announced Thursday.
The rules to be put in place March 1 are the result of revisions made by the department from its original proposal that was to have become effective Jan. 1. State officials in December issued a revised proposal that made some requirements specific to a firm's risk.
“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber crimes,” New York Gov. Andrew M. Cuomo said in a news release.
The state's move comes as the Federal Reserve and Federal Deposit Insurance Corp. are seeking suggestions and comments for potential cybersecurity requirements for U.S. banks.
Requirements under the new regulation include:
- a cybersecurity program based on a risk assessment of each regulated firm;
- a written cybersecurity policy approved by each firm's senior officer or board of directors;
- a chief information security officer appointed by each firm;
- annual testing of cybersecurity systems and biannual system vulnerability assessments;
- an audit trail for all cyber activity;
- multifactor or risk-based authentication procedures for all system users' access; and
- secure processes for data disposal.
The New York DFS cybersecurity regulation is available on the department's website.