On September 13, the New York Department of Financial Services issued proposed regulations that would require banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks.  

Among the planned requirements, regulated financial institutions will be required to (a) establish a cybersecurity program and adopt a written cybersecurity policy; (b) designate a Chief Information Security Officer responsible for implementing, overseeing, and enforcing its new program and policy; and (c) have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity, and availability of information systems.  Board chairpersons would also be required to file annual certifications with NYDFS, stating, to the best of their knowledge, that their companies’ cyber programs comply with the regulation. 

Other measures would include appointing overseers for outside vendors and limiting access of customers’ non-public information, such as Social Security numbers, to employees who need those details, according to the proposal.  Systems would have to include multiple steps for verifying user identities. 

Notably, the proposed regulations are already called for under guidance set by the Federal Financial Institutions Examination Council, a panel of regulators including the Federal Deposit Insurance Corp., the Federal Reserve, and the Office of the Comptroller of the Currency. 

The proposed regulations are also similar to (albeit more comprehensive than) Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth regulation.  That law, which has been in place since 2010, requires every business that licenses or owns personal information of Massachusetts residents to comply with minimum security standards.  Those minimum standards include implementing a written information security program (referred to as a “WISP”) with appropriate administrative, technical, and physical safeguards. 

The proposed regulation is subject to a 45-day notice and public comment period following the September 28 publication in the New York State register before its final issuance.