Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

New York state weighs its own cyber security rules

Reprints
New York state weighs its own cyber security rules

The New York Department of Financial Services is seeking feedback from state and federal authorities on the state's proposed cyber security regulations for financial institutions.

The New York State Department of Financial Services “considers cyber security to be among the most critical issues facing the financial world today — and one that poses a particular challenge to regulatory agencies,” it said in a letter sent Monday to the federal Financial and Banking Information Infrastructure Committee. Among other things, the committee is charged with enhancing the resiliency of the U.S. financial sector.

“As such, we have taken a number of steps in recent years to highlight and identify existing and emerging cyber security risks at banks and insurance companies,” according to the letter.

After surveying banks and insurers beginning in 2011, the department concluded that “there is a demonstrated need for robust regulatory action in the cyber security space.” In its letter, the department said it believes “that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.”

The letter lists several potential regulations. They include requiring banks and insurers to implement and maintain written cyber security polices that address a dozen specific areas, including customer data privacy; vendor and third-party service provider management; and incident response, “including by setting clearly defined roles and decision-making authority.”

Each covered entity also would be required to designate a chief information security officer, conduct annual penetration testing and quarterly vulnerability assessments.

Read Next

  • E.U. seeks to reassure companies about trans-Atlantic data transfers

    (Reuters) — The European Commission on Friday will seek to reassure firms operating on both sides of the Atlantic that they can continue to transfer Europeans' personal data to the United States after a court struck down a system used by over 4,000 companies to do just that.