New York Governor Andrew M. Cuomo announced yesterday a new proposed regulation to address the growing threat posed by cyber-attacks. According to the State’s press release, the proposed regulation, which is subject to a 45-day notice and public comment period before final issuance, “aims to protect consumer data and financial systems from terrorist organizations and other criminal enterprises.” In the past 18 months, several other states – including Connecticut, Nevada, and Washington – have also taken legislative action to promote greater protection against cyber-threats.
Once in place, New York’s regulation will require regulated organizations – specifically banks, insurance companies, and other financial services institutions regulated by the State’s Department of Financial Services – to: (1) establish a cybersecurity program; (2) adopt a written cybersecurity policy; (3) designate a Chief Information Security Officer; and (4) implement policies and procedures designed to ensure the security of information systems. The Department of Financial Services has published guidance fleshing out each of the foregoing requirements.
In the wake of Gov. Cuomo’s announcement, banks, insurance companies, and subject financial services institutions that do business in New York should carefully review their current programs, policies, and procedures to evaluate what action, if any, they will need to take to comply with the new obligations contemplated by the State’s proposed regulation.