On Tuesday, September 13, 2016, Governor Cuomo proposed a new regulation that (if enacted) will have a substantial effect on mortgage lenders, brokers and others regulated by the Department of Financial Services. The proposed rule aims to protect consumers and financial institutions from cyber-attacks by requiring banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services (collectively “financial service companies”) to establish and maintain cybersecurity programs.

Specifically, the proposed regulation would require NY-regulated financial service companies to establish a cyber security program designed to identify, detect, defend against and respond to internal and external cyber risks. If enacted, among other things, the program would require the following:

  1. A written cybersecurity policy outlining the policies and procedures for the protection of a company’s information systems and the nonpublic private information stored on those systems;
  2. Designation of a qualified Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the company’s cybersecurity program;
  3. A biannual report produced by the CISO that, among other things, identifies cyber security risks and assesses the company’s information systems and effectiveness of the cyber security program;
  4. Annual penetration testing of the company’s information systems;
  5. Quarterly vulnerability assessments of the company’s information systems;
  6. Audit Trail systems that track and maintain data logging and protect the integrity of the systems;
  7. Annual Risk Assessment of the company’s information systems;
  8. Multi-factor authentication to the company’s systems;
  9. Encryption of nonpublic private information stored or transmitted by the company;
  10. Training; and
  11. An Incident Response Plan.

The proposed regulation will undergo a forty-five (45) notice and comment period following its September 28, 2016 publication in the New York State Register. During this period the public may comment on how the regulation may be modified or improved by emailing CyberRegComments@dfs.ny.gov. Following the forty-five day period, the regulation will either be finalized or withdrawn based upon the comments received. The text of the proposed rule can be found at: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.