NY State Announces Proposal of “First-in-the-Nation” Cybersecurity Regulation

NY State Announces Proposal of “First-in-the-Nation” Cybersecurity Regulation

On September 13, 2016, Governor Andrew M. Cuomo announced that a new first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks.

The regulation requires financial institutions to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The proposed regulation is subject to a 45-day notice and public comment period before its final issuance.

Who is this proposed regulation applicable to?

This regulation will be applicable to banks, insurance companies, and other financial services institutions regulated by the NY State Department of Financial Services.

What does this regulation require?

The proposed regulation requires the regulated financial services companies:

  • To establish a cybersecurity program
  • To adopt a written cybersecurity policy
  • To designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy
  • To have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems
  • To include in their cybersecurity program
    • Annual penetration testing and vulnerability assessments
    • Implementation and maintenance of audit trail systems to reconstruct transactions and log access privileges
    • Annual risk assessments
    • Multi-factor authentication for individuals having privileged access
    • Cybersecurity awareness training for all personnel
    • Written incidence response plan

More details on the regulation can be found here.

NY State Department of Financial Services Superintendent Maria T. Vullo said, “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

Why is this important?

Being cyber secure is more than just checking the box saying you have updated technologies in place. It is about ensuring the protection and privacy of your “crown jewels”, your clients, your people and your data. As technologies continue to evolve, the risk of breaches and cyber-attacks increases and puts everyone at risk. Breaches are costly, impacting revenues, your reputation and branding, and your valued clientele.  There are also hidden costs below the surface of this “ice berg”, such as insurance credit rating assessment which can also impact borrowing costs.

It is important to have the proper technologies in place, but go beyond that. Create and implement an information security program that includes not only policies and procedures but an incident plan is necessary to have in order to defend a breach or an attack, and train your personnel on the plan. By increasing your involvement and making user adoption a priority, you will drive better results and a better ROI for your efforts. The human defense shield is critical!

How to prepare?

If you are a big financial institution, chances are that you will have many of these required cybersecurity policies, procedures and controls in place and so, this regulation may have minimal impact on your current operations. However, if you are a small or medium sized financial services company, you may want to start planning for now. Fulfilling some of the requirements will require additional investments in resources, time and, in some cases, a change in culture.

Though it is still just in the proposal state, considering the years of preparation, research and analysis conducted by the NY State Department of Financial Services, the chances that this will become a regulation in the very near future are good. So “wait and watch” is not the most prudent strategy. Reach out to your cybersecurity advisors now to plan the next steps.

Need More Information?

If you have any questions about this update or would like to further discuss your cybersecurity plan, please contact a member of Withum’s Cyber Secure Services Group or email our experts Joe Riccie, Partner, [email protected], Anurag Sharma, Principal, [email protected], or Sumit Pal, Principal, [email protected].

Anurag Sharma - CISA, CISSP, CRISC, MBA, Principal Anurag Sharma, CISA, CISSP, CRISC, MBA, Principal
T (609) 520 1188
[email protected]
View Experience


Ask Our Experts

To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.

Previous Post

Next Post