NY state financial cybersecurity rule taking effect in March

NY state financial cybersecurity rule taking effect in March

A New York state regulation intended to protect the financial services industry and its consumers from cyberattacks is taking effect in March.

Gov. Andrew CuomoAndrew CuomoJudd Gregg: Biden — a path to the presidency, or not Cuomo calls Brooklyn clashes 'disturbing,' asks attorney general to review Overnight Health Care: Trump says US 'terminating' relationship with WHO | Cuomo: NYC on track to start reopening week of June 8 | COVID-19 workplace complaints surge MORE (D) announced the regulation on Thursday, describing it as the first of its kind in the nation. The rule will require banks, insurance companies, and other entities regulated by the state’s Department of Financial Services to establish cybersecurity programs to protect consumers’ sensitive data and secure the financial services industry.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks,” Cuomo said in a statement on Thursday. 


“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes,” the governor added. 

The rule will take effect on March 1, 2017. The state submitted an initial proposal for comment in September and updated it in December to receive further input.

“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks,” Maria Vullo, superintendent of the state’s financial services department, said.

The regulation puts in place controls to ensure financial firms maintain a “robust cybersecurity program” to protect consumers’ personal data, according to the governor’s office. It also establishes minimum standards for technology systems related to controlling access, encryption, penetration testing, and also creates standards to address breaches.