New York governor Andrew Cuomo has announced a cybersecurity regulation that will protect consumer data and financial systems from terrorist organisations and other cyber criminals.
The final risk-based regulation, which is set to take effect on 1 March 2017, will require banks, insurance firms, and other financial services institutions regulated by the Department of Financial Services to take on a cybersecurity programme developed to protect consumers’ private data.
It will also require financial institution to have a programme that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the senior governing body of the organisation.
Financial institutions will have to maintain risk-based minimum standards for technology systems, such as access controls, data protection including encryption, and penetration testing.
The rule requires identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance.
Commenting on the regulation, Cuomo said: "New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."
New York State department of financial services superintendent Maria Vullo said, “With this landmark regulation, DFS is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information.
“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber-attacks.”