The governor of New York and the state regulator have proposed a set of regulations for banks, insurance companies, and other financial services institutions to help them protect consumers and the financial sector from the threat of cyber attacks.
The rules require financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program.
The program should include annual penetration testing and vulnerability assessments, annual risk assessment of the confidentiality and availability of information systems, monitoring of authorised users and cybersecurity awareness training for all personnel, among others.
Further, the rules mandate firms to have policies in place to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties.
"This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible," Governor Andrew Cuomo said.
Financial services firms also have to appoint a chief information security officer, who will help implement, manage and enforce the new program and present bi-annual reports about progress and vulnerabilities to the board.
New York State Department of Financial Services superintendent Maria Vullo said: “DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs.
“Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks."
The proposed rules are subject to a 45-day notice and public comment period before final issuance.