Critics say a new law imposing significant reporting requirements on financial institutions in the state of New York could set the stage for similar laws in other states. The new rules require banks, insurers and other financial institutions to establish a comprehensive cybersecurity program and appoint an information security officer to oversee it, among other things.
Perhaps most troubling, at least from a risk management perspective, is the new law’s requirement that the cyber policy be approved annually by the company’s board of directors. That stipulation has clear implications on Director’s and Officer’s liability coverage and could lead to a surge in claims.
It’s also important to note that the new law does not exclusively apply to New York businesses. All companies licensed in the state of New York, regardless of place of incorporation or location, are subject to the new regulation as imposed by the New York State Department of Financial Services (NYDFS).
The regulations set forth detailed requirements that institutions must follow, including:
- Establishing a cyber security program “designed to protect the confidentiality, integrity and availability” of the institution’s information systems
- Conducting a cyber risk assessment
- Implementing a Board of Director approved written cybersecurity policy
- Appointing a Chief Information Security Officer
- Implementing Access and Monitoring Controls
- Performing Third Party Diligence
- Notice to the NYDFS within 72 hours of a “cybersecurity event”
The following link includes key dates in the implementation of the new law, as well as pertinent facts pertaining to individual requirements: http://www.dfs.ny.gov/about/cybersecurity.htm