Proposed Cybersecurity Regulations
The Department of Financial Services (DFS) has proposed regulations requiring the establishment and maintenance of a cybersecurity program for entities that operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, insurance law or the financial services law.
The breadth of the proposal raises many concerns among our members – the regulated institutions and those that serve as third party vendors to the institutions. In addition to establishing a cybersecurity policy and program, it requires the designation of a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy; implementing policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties and a variety of other requirements to protect the confidentiality, integrity and availability of information systems.
The proposed regulation is subject to a 45 day comment period ending November 14, 2016. The Business Council intends to comment and welcomes members to contact firstname.lastname@example.org or email@example.com with their discrete issues and concerns for inclusion in the submitted comments to DFS. The proposed cybersecurity regulation is available for review here.