Pierluigi Paganini February 19, 2017

The New York state announced that a set of cyber security regulations that will take effect on March 1st to tackle cyber threats.

On Thursday, the New York state announced that a cyber security regulation will take effect on March 1st. The regulations will require financial institutions and insurers to meet minimum cyber security standards and report cyber incidents to regulators.

The organizations subject to the new cyber security rules include both state-chartered banks and foreign banks operating in the New York state, along with any insurer that works in the state.

The measures are necessary to mitigate the risk of exposure to cyber crime organization and other threat actors.

The cyber security regulation announced by the New York state lay out unprecedented requirements on cyber security posture organizations must take to protect their infrastructure from cyber attacks.

The regulations are the result of huge work that started in 2014, the New York State delayed implementation of the cyber security regulation by two months and loosened some requirements after financial organizations demanded an extension due to the overhead to deal with ensuring the compliance.

“The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp, Home Depot Inc, and Anthem Inc.” reported the Reuters.

The importance of the regulations was highlighted by the Governor Andrew Cuomo in the statement:

“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,” 

Financial institutions and insurers will have to scrutinize security posture of third-party service providers and conduct a continual risk assessment process.

“The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.” continues the Reuters.

The good news is that the attention to cyber security is widespread in the US, a task force of U.S. state insurance regulators is already working on the development of a model cyber security law that could be transposed and by various states.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Windows zero-day, hacking)