NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
NY proposes cybersecurity rules for financial institutions
On September 13, New York Governor Andrew Cuomo announced the state’s proposed cybersecurity rules applicable to banks, financial service firms and insurers. The New York Department of Financial Services (“NYDFS”) has issued for public comment Cybersecurity Requirements for Financial Services Companies. As stated in the introduction to the regulation, regulatory action and proactive measures are necessary to combat the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The regulation “is designed to promote the protection of consumer information as well as the information technology systems of [entities regulated by NYDFS].”
Financial institutions will be required to establish a cybersecurity program performing the following five core functions: (1) identification of cyber risks, (2) implementation of policies and procedures to protect unauthorized access/use or other malicious events, (3) detection of cybersecurity events, (4) responsiveness to identify identified cybersecurity events, and (5) recovery from cybersecurity events and restoration of normal operations and services.
Also, the institutions must adopt a written cybersecurity policy to protect their information systems and non-public information. The policies must address an array of vital functions, including business continuity and disaster recovery, access controls and identity management, and physical security and environmental controls. The management and oversight of third-party service providers is another key component of the regulation’s broad scope and intended protections, which will require due diligence and periodic assessments of vendors and contractors.
Institutions must designate a Chief Information Security Officer with responsibility to oversee and implement the cybersecurity program and enforce cybersecurity policy. The CISO must report to the board, at least bi-annually, to (1) assess the confidentiality, integrity and availability of information systems; (2) detail exceptions to cybersecurity policies and procedures; (3) identify cyber risks; (4) assess the effectiveness of the cybersecurity program; (5) propose steps to remediate any identified inadequacies; and (6) summarize all material cyber events.
NYDFS surveyed approximately 200 regulated banking institutions and insurance companies to obtain insight into the industry’s efforts to prevent cybercrime. Additionally, it met with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third-party vendors. The proposed regulation is subject to a 45-day notice and public comment period before its final issuance.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory