New York Becomes First State to Announce Cybersecurity Regulation. 

How many other states will follow suit?

Spoiler Alert: All of them!

On September 13, 2016, the New York Department of Financial Services proposed landmark legislation that would require banks and other financial institutions to adopt minimum cybersecurity standards. If approved, New York would also be the first state to call for a prescriptive cybersecurity program for banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services.

During the last presidential debate, cybersecurity took center stage and was one of the few topics both candidates agreed on.  Hillary Clinton stated “cyber security, cyber warfare will be one of the biggest challenges facing the next president”.  Donald Trump added, “We are not doing the job we should be doing.”

With the nation’s attention focused on cyber security and the rising scope of attacks, it is assured that more states (if not all) will follow in New York’s footsteps and require state-based cybersecurity regulations.  We should expect a crisscross of state laws that will impact financial institutions with a multistate presence.

The New York state proposal requires regulated financial institutions to establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems. More details on the regulation can be found here.

Organizations should take a fresh look at their security programs and determine if they can adapt to imminent regulatory changes. The ability to evolve your program over time has never been more critical, since a risk and compliance program is not a one-time exercise.  In a recent survey of Rsam customers, nearly 30% with deployments of more than 6 months said they had changed between up to 40% of their GRC program since its inception.   In risk, change is a variable, but preparation for change is a constant.