New York, New York. That’s my kinda regulation

Today is a big day for New York banks or any “Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law [of New York].”

Beginning March 1, 2017 the state of New York will begin the two year process to phase in the “Cybersecuirty Requirements for Financial Services Companies”  (23 NYCRR 500).  The rule sets forth the minimum cybersecurity requirements for financial companies doing business in New York.

Among other security requirements covered entities will have to:

  1. Develop and maintain a cybersecurity program based on a risk assessment;
  2. Implement and maintain a cybersecurity policy;
  3. Designate a qualified Chief Information Security Officer (CISO); and
  4. Perform penetration testing

In general, the requirements set forth in the New York rule make sense and should be a part of any strong security program already.

One of the requirements that struck me is the 72 hour reporting deadline to the Superintendent of Financial Services.  What is striking (at least to me) about this provision is the lack of a law enforcement exception.  In most breach notification rules, there is an acceptable delay in reporting if law enforcement is investigating the breach.  No such exception is present in the New York regulation.

This is one of the stronger state regulations over the past couple years.  It will be interesting to see if other state regulators follow suit.