New York State Department of Financial Services Issues Cybersecurity Regulations

2/22/2017 1:45 PM

The regulations outline standards for companies’ cybersecurity programs as well as how to respond to data security breaches and report events to the department.


Financial services companies regulated by the New York State Department of Financial Services (NYSDFS), such as banks and insurance companies, will be required to follow cybersecurity requirements to protect consumers’ private data effective March 1, 2017.

New York Gov. Andrew M. Cuomo announced the cybersecurity regulation, also designed to “ensure the safety and soundness of New York’s financial services industry,” this month.

“It is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyberattacks,” Cuomo said in a news release. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves.”

The NYSDFS reviewed comments submitted on the proposed cybersecurity regulation last year and included suggestions it deemed appropriate in the final regulation.

“The final risk-based regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances,” according to the NYSDFS news release.

In its regulation, the NYSDFS also states that “it is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”

The new regulations include:

  • A cybersecurity program that is “adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”
  • Minimum standards to address any data security breaches including a response plan, preserving data to respond to any breaches and providing notice of material events to the NYSDFS.
  • Requiring identification and records of material deficiencies, remediation plans and annual certifications of regulatory compliance to the NYSDFS.

“Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances,” the regulation states. “Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

The regulation will become effective upon publication in the New York State Register on March 1, 2017. 

“With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” NYSDFS Superintendent Maria T. Vullo said. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyberattacks.”

Follow ACA on Twitter @ACAIntl and @acacollector or Facebook for news and event updates. ACA’s LinkedIn Group includes news updates, member discussions, event promotions, jobs and more. Visit the group page and request to join today.