New York state weighs its own cyber security rulesReprints
The New York Department of Financial Services is seeking feedback from state and federal authorities on the state's proposed cyber security regulations for financial institutions.
The New York State Department of Financial Services “considers cyber security to be among the most critical issues facing the financial world today — and one that poses a particular challenge to regulatory agencies,” it said in a letter sent Monday to the federal Financial and Banking Information Infrastructure Committee. Among other things, the committee is charged with enhancing the resiliency of the U.S. financial sector.
“As such, we have taken a number of steps in recent years to highlight and identify existing and emerging cyber security risks at banks and insurance companies,” according to the letter.
After surveying banks and insurers beginning in 2011, the department concluded that “there is a demonstrated need for robust regulatory action in the cyber security space.” In its letter, the department said it believes “that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.”
The letter lists several potential regulations. They include requiring banks and insurers to implement and maintain written cyber security polices that address a dozen specific areas, including customer data privacy; vendor and third-party service provider management; and incident response, “including by setting clearly defined roles and decision-making authority.”
Each covered entity also would be required to designate a chief information security officer, conduct annual penetration testing and quarterly vulnerability assessments.