New York state regulators have proposed new cybersecurity requirements for banks and insurers intended to protect them and consumers.
The Department of Financial Services’ proposal, subject to public comment, would require financial institutions to adopt written policies and designate individual security officers responsible for implementing and enforcing them next year.
The regulations are intended to ensure security of computer systems and non-public information, including data accessible or held by third parties.
The department surveyed more than 150 banks and 43 insurers and began conducting risk assessments of financial institutions last year, concluding “robust regulation” is needed.
Key areas included access controls, customer privacy, data governance, incident responses and disaster recovery planning.
Managing third-party providers would require multifactor identity authentication, data encryption, loss indemnification, warranties, incident notices and audits.