New York’s Department of Financial Services today issued a new set of proposed regulations on cybersecurity, the first of its kind from a state regulator. All state-chartered, FDIC-insured banks are supervised for cybersecurity at the federal level, but state-level New York actions can set precedents for other state regulators.
Under the proposed rules, New York-chartered financial institutions would be required to: establish a cybersecurity program; adopt a written cybersecurity policy; designate a chief information security officer; and have policies and procedures to ensure the security of information systems and private information accessible to, or held by, third-parties. Additional requirements would include annual penetration testing, periodic reviews of access privileges, annual risk assessments and multi-factor authentication for accessing internal systems, among others.
If finalized, the rule would take effect Jan. 1, 2017, and compliance would be required 180 days later. Comments are due by Oct. 28.