The New York Department of Financial Services today issued final regulations that will require NY chartered banks and affiliates to establish and maintain a cybersecurity program as part of an ongoing effort to protect consumers and the state’s financial system from cybercrime. The rules take effect March 1, and with limited exceptions, banks will have 180 days to comply.
The regulations — the first of this kind to be issued by a state regulator — require banks and other financial services providers to maintain a cybersecurity program based on the institution’s level of risk; maintain written cybersecurity policies and procedures; designate a chief information security officer; and maintain an audit trail for cybersecurity events. The rules also impose additional requirements related to annual certification, risk assessments, reporting, recordkeeping, and periodic reviews of access privileges, among other things.
The final rules were revised from an earlier NYDFS proposal, which received significant pushback from bankers and other industry stakeholders, including ABA. While the final rules take a risk-based approach, ABA remains concerned that they will add significant regulatory burden to banks of all sizes, and that the short compliance window does not give banks enough time to put the necessary systems and processes in place. In addition, the rules could come in conflict with existing federal regulations, and may not provide enough flexibility to address the constantly evolving nature of cyber threats, the association noted.