N.Y. Regulators Weigh Cybersecurity Requirements for Banks, Insurers

November 12, 2015 by

New York regulators are considering a host of cybersecurity requirements for banks and insurers and urged other state and federal authorities to collaborate on establishing a framework of defenses for the financial sector.

New York Financial Services Superintendent Anthony Albanese said in a letter to other regulators that his agency has surveyed more than 150 banks and 43 insurers since 2013 and has begun conducting risk assessments of financial institutions. They have concluded that “robust regulation” is needed.

There’s no specific timeline at this point for New York to issue its proposed cybersecurity regulations, department spokesman Matt Anderson said.

“First, although financial institutions have taken significant steps to bolster cyber security efforts in recent years, companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats,” Albanese wrote. “Second, third-party service providers often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers.”

New York’s key proposals would require written cybersecurity policies implemented in areas ranging from access controls, customer privacy and data governance to incident responses and disaster recovery planning.

Managing third-party providers would require multifactor identity authentication, use of data encryption, loss indemnification, warranties, incident notices and audits.

Regulated banks and insurers would have to conduct annual penetration testing and quarterly vulnerability assessments and maintain an audit trail that logs privileged user access and protects logs from tampering.

“Each covered entity would be required to immediately notify the department of any cyber security incident that has a reasonable likelihood of materially affecting the normal operation of the entity, including any cyber security incident,” Albanese wrote.

The letter went to the Financial and Banking Information Infrastructure Committee members, the Federal Reserve Board of Governors, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors and other federal financial authorities and national associations.

“It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions,” Albanese wrote in the letter sent late Monday.

Related: