New York Regulators Weigh Cybersecurity Requirements for Banks and Insurers
New York regulators are considering a host of cybersecurity requirements for banks and insurers and urged other state and federal authorities to collaborate on establishing a framework of defenses for the financial sector.
Financial Services Superintendent Anthony Albanese said in a letter to other regulators that his agency has surveyed more than 150 banks and 43 insurers since 2013 and has begun conducting risk assessments of financial institutions. They have concluded that “robust regulation” is needed.
There’s no specific timeline at this point for New York to issue its proposed cybersecurity regulations, department spokesman Matt Anderson said.
“First, although financial institutions have taken significant steps to bolster cyber security efforts in recent years, companies will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats,” Albanese wrote. “Second, third-party service providers often have access to sensitive data and to a financial institution’s information technology systems, providing a potential point of entry for hackers.”
New York’s key proposals would require written cybersecurity policies implemented in areas ranging from access controls, customer privacy and data governance to incident responses and disaster recovery planning.
Managing third-party providers would require multifactor identity authentication, use of data encryption, loss indemnification, warranties, incident notices and audits.
Regulated banks and insurers would have to conduct annual penetration testing and quarterly vulnerability assessments and maintain an audit trail that logs privileged user access and protects logs from tampering.
“Each covered entity would be required to immediately notify the department of any cyber security incident that has a reasonable likelihood of materially affecting the normal operation of the entity, including any cyber security incident,” Albanese wrote.
The letter went to the Financial and Banking Information Infrastructure Committee members, the Federal Reserve Board of Governors, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors and other federal financial authorities and national associations.
“It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions,” Albanese wrote in the letter sent late Monday.
- Collision Claim Trends to Watch in 2025
- Three Dozen High-Rise Buildings in South Florida Are Sinking, Study Says
- Two Plane Crashes Lead to Deadliest Year in Skies Since 2018
- Deep Freeze Will Send Some US Temperatures Plunging
- Car-Rental Startup Turo’s Safety Team Cuts Vacations Short After Deadly Attacks
- Colorado Adds Record Insurance Coverage for Sanders and Hunter With Both Playing in Alamo Bowl
- AccuWeather’s 2024 White Christmas Forecast Calls for Snow in More Areas
- Mississippi High Court Tells USAA to Pay up in Hurricane Katrina Bad-Faith Claim