New York State Finalizes First-in-Nation Cyber Security Regulation

New York state announced a final cyber security regulation on Thursday with mandatory standards for banks and insurers to combat the ever-increasing risk of cyber attacks.

The regulation, which takes effect March 1, follows a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp, Home Depot Inc and Anthem Inc.

It lays out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.

“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,” Governor Andrew Cuomo said in a statement.

New York attorney Jed Davis, a former U.S. federal cyber crimes prosecutor, called the regulation a “game changer.”

“No other state and no other federal agency has these kinds of mandatory standards,” Davis said.

The regulation will affect state-chartered and foreign banks licensed to operate in the state, including Goldman Sachs Group Inc, Barclays Plc and Deutsche Bank AG , and all insurance companies that do business in the state.

The state in December delayed implementation of the regulation by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply.

The new standards call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.

The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.

Covered entities must annually certify compliance.

Luke Dembosky, an attorney in Washington, D.C., and a former veteran cybercrime prosecutor, said the final, more flexible approach in the rules reflects input from industry.

“It’s now driven by a realistic assessment of one’s cyber security risks,” he said. “The overriding complaint of the first iteration was that it was much too prescriptive – ‘thou shall have this’.”

(Reporting by Karen Freifeld and Jim Finkle; Editing by Dan Grebler)