Big news on the cybersecurity front and great news for the cybersecurity industry. New York Governor Andrew Cuomo and the top bank regulator for the state proposed on Tuesday (Sept. 13) that the state be the first to require banks to establish cybersecurity programs.
The regulations, if implemented, could cost banks and insurers millions, as banks would be forced to detect and deter incoming cyberattacks to protect consumer data by implementing systems under a chief information security officer. The banks would also be required to notify New York’s Department of Financial Services (DFS) of any data breach within 72 hours of the occurrence.
State regulation on the reporting of breaches is vague, and large organizations have tended not to report attacks.
Gov. Cuomo said in a statement: “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks to the fullest extent possible.”
The impetus for the proposed regulations stems from increasing concerns that hackers are targeting Wall Street and the U.S. financial infrastructure. Three men were indicted in November for an alleged sprawling cybercriminal operation targeting JPMorgan Chase & Co. and potentially affecting about 76 million households.
Benjamin Lawsky, New York’s first superintendent of cybersecurity, considered it a priority for the Department of Financial Services. Maria Vullo, the agency’s recently confirmed superintendent, is of the same opinion and is pursuing cybersecurity and cybercrime even more aggressively.
However, she is aware of the huge potential costs involved and wants to introduce minimum standards and allow banks and other companies to assess their own risk.
“DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs,” she said in a statement.
The proposed regulations will include testing of banks cybersecurity by hackers. Anti-money laundering regulations were published in June and will take effect in 2017.
The proposal for the regulations are open for public comment for 45 days before the final version is issued.