On September 13, 2016, New York Governor, Andrew Cuomo, announced a new regulation that would require banks and insurers to implement cyber security programs. The regulation is the first of its kind not only in New York but in all of the United States. While the regulation would only apply to banks and insurers licensed by the New York Department of Financial Services (“DFS”), it may pave the way for similar measures to be passed in other states and on the federal level.
The proposed regulation is somewhat analogous to the rules governing security and privacy of protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”). Specifically, the regulation will require covered entities, defined as any entity operating under a license or other authorization required by New York’s banking, insurance or financial services law, to establish and maintain a cyber security program that will protect the confidentiality, integrity and availability of the covered entity’s information systems. At a minimum, the cyber security program will have to address the following areas:
- information security;
- data governance and classification;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- capacity and performance planning;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and third-party service provider management;
- risk assessment; and
- incident response.
Covered entities will also be required to train personnel on cyber security, conduct risk assessments of their cyber security program at least annually, and ensure that any third parties doing business with the entity are abiding by the same security standards. If a “cybersecurity event” occurs, which has “a reasonable likelihood of materially affecting the normal operation of the covered entity or effects non-public information,” the covered entity would have to notify DFS within 72 hours of becoming aware of such event. Covered entities will also be required to appoint a Chief Information Systems Officer to manage the cyber security program and certify that they are compliant with the regulation by filing a certification with DFS on an annual basis.
Governor Cuomo believes this regulation will help “guarantee [that] the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.” Large banks and insurers have frequently been the target of hackers and many have already implemented some form of a cyber program. However, the new regulation may pose a bigger hurdle for smaller banks and insurers who will now need to spend time and money to bring their cyber programs, or lack thereof, in par with the new standards.
The new regulation is open to public comments for 45 days before it becomes final. If finalized, the regulation would become effective in January 2017 and covered entities would have to certify their cyber security programs for the first time by January 2018.