New York cyber security rules go into effect March 1

New York state has adopted a final regulation that will go into effect March 1 that requires financial institutions, including insurers, to establish a cyber security program.

The final rule requires regulated companies to implement controls to ensure a robust cyber security program, including requirements for a program that is adequately funded and staffed, overseen by qualified management and reported on periodically to the most senior governing body of the organization.

The regulation also adopts risk-based minimum standards for technology systems, including access controls, data protection including encryption, and penetration testing. It establishes required minimum standards to help address any cyber breaches such as an incident response plan, preservation of data to respond to such breaches, and notice to New York State Department of Financial Services of material events. 

The rule also establishes accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to the department.

"New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks," Gov. Andrew Cuomo said Thursday in a statement. "These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber crimes."

“With this landmark regulation, (the department) is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” Department of Financial Services Superintendent Maria Vullo said in the statement. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks.”

The final regulation incorporates suggestions made during two public comment periods following the release of the proposed rule. There was a 45-day comment period starting Sept. 28 for the first proposal and a 30-day comment period starting Dec. 28 for the second version. 

“Throughout the regulatory review period, we emphasized how critical it is for insurers to have the ability to tailor and implement their cyber security programs in a risk-based manner,” Alison Cooper, Albany, New York-based Northeast region vice president for the American Insurance Association, said in a statement. “While some challenges remain, overall the final cyber security regulation provides greater flexibility so insurers are able to better adapt to an evolving threat landscape.”