Major new state regulations governing cybersecurity at banks and insurance companies took effect in New York state Monday.
The New York State Department of Financial Services developed the regulations in an effort to deter cyberattacks, and to require the companies the department regulates to begin reporting cyberattacks to the department.
“Monday marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyberattacks,” Maria Vullo, New York’s insurance superintendent, in a said statement.
The new rules set minimum standards for cybersecurity based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems from hacking and data breaches.
The new rules, which were completed in March, require state-regulated banks and insurance companies to:
Develop state-approved plans to deter cyberattacks.
Report any attacks within 72 hours of when the attacks occur.
Re-evaluate and upgrade company security systems annually.
Have their boards certify that the companies are in compliance with the security requirements by Feb. 15.
Legal observers note that the state is setting the requirements through a regulatory process, rather than through legislative action.
Mark Krotoski, a partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said many of the requirements established by the department, such as requirements that an affected company have a chief information security officer and an incident response plan, are already in place at banking and insurance companies.