New York cyber-regulation to take effect on 1 March

Chris Hamblin

28 February 2017

The regulation requires banks, insurance companies and other financial service institutions regulated by the NYDFS to establish and maintain cyber-security programmes to protect consumers’ private data and keep financial firms, in the regulator's words, "safe and sound." The rules are the first of their kind in the United States.

The final risk-based regulation sets certain regulatory minimum standards while encouraging firms to keep pace with technological advances. It calls for the following.

Controls that ensure that each programme that is funded and staffed adequately and overseen by qualified managers who send periodic reports about it to the most senior governing body of their organisation;
Risk-based 'minimum' standards (the NYDFS does not say what this term means) for technological systems including access controls, encryption (and the protection of data in general) and 'penetration testing';
Required 'minimum' standards to help each firm address any 'cyber-breaches,' including an incident response plan, the preservation of data that might help in such a response, and notices that it must send to the NYDFS about significant events; and
'Accountability,' a term that covers identification requirements, the writing-down of significant deficiencies, remediation plans and annual certifications of regulatory compliance to the NYDFS.

The NYDFS considered all comments submitted during a 45-day comment period after it published its proposal for the regulation in September and a 30-day comment period after it published an updated version in December. The regulation will be become effective upon publication in the New York State Register on 1 March.