February 21, 2017 by

New York’s New Cybersecurity Regulation to be Enforced in March

New York’s new cybersecurity regulation will be enforced on March 1, enforcing new norms and requirements upon the insurance and banking sectors as the state aims to better protect institutions and consumers against breaches and cyberattacks.

The controversial and often-debated regulation is, according to New York Governor Andrew M. Cuomo, the first of its kind to be adopted and enforced by any U.S. state.

In statements, Governor Cuomo said:

New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.

Among the list of regularity requirements, there are mandates that require financial and insurance institutions to retain a CISO, implement multifactor authentication and report cybersecurity incidents within 72 hours of the incident.

A number of requirements now mandated by the new regulation have already been adopted by larger financial institutions. Examples include developing an in-house cybersecurity plan and program, business continuity protocols in the event of an attack, a written policy that clearly addresses critical functions including access controls, asset inventory and data governance.

Further, the CISO is required to send a report to the organization’s board of directors at an annual-basis, minimally.

An organization’s cybersecurity program is required to include a periodic risk assessment. Annual penetration tests will have to be enforced to test the cybersecurity infrastructure. Further, the new regulation mandates that transmitted data will have to be encrypted. Unsurprisingly, organizations will also be required to develop a written incident response plan.

Relevant companies in New York will be required to submit a statement to the state’s Superintendent of Financial Services by February 15, each year, to certify compliance.

The initial proposed regulation was put forth in September 2016 by the Department of Financial Services. A 30-day comment period followed after its publication, with industry participants weighing in with suggestions. For instance, a sweeping definition of what constituted ‘non-public information’ was amended by the DFS after input from private industry.

While the regulation takes effect on March 1, organizations will still have 180 days to comply with the new rules. Some organizations will have up to two years to adhere to compliance due to built-in grace periods while smaller organizations will be allowed to apply for exemptions.

“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” stated New York State Department of Financial Services Superintendent Maria T. Vullo.

The final regulation, in full, is available here.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Trump’s Cybersecurity Advisor Rudy Giuliani Runs an Insecure Website

Rudy Giuliani, the former New York mayor who is now appointed by President-elect Donald Trump as his...

Read more arrow_forward

Arizona Man Arrested after Alleged Hack of Thousands of University Email Accounts

A 20-year-old man from Phoenix, Arizona has been arrested and charged for allegedly hacking into...

Read more arrow_forward

Staples Likely Hacked Using POS Malware

A number of banks from the Northeastern region identified a pattern in fraudulent payment card...

Read more arrow_forward