Back to Home

Proposed Cybersecurity Regulations

Contact: Johnny Evers or Lev Ginsburg
September 14, 2016

The Department of Financial Services (DFS) has proposed regulations requiring the establishment and maintenance of a cybersecurity program for entities that operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, insurance law or the financial services law.

The breadth of the proposal raises many concerns among our members – the regulated institutions and those that serve as third party vendors to the institutions. In addition to establishing a cybersecurity policy and program, it requires the designation of a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy; implementing policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties and a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

The proposed regulation is subject to a 45 day comment period ending November 14, 2016. The Business Council intends to comment and welcomes members to contact or with their discrete issues and concerns for inclusion in the submitted comments to DFS. The proposed cybersecurity regulation is available for review here.