February 17, 2017
New York finalized its cybersecurity regulation, as announced by Governor Andrew Cuomo yesterday.
The rule requires brokers, insurance companies, banks and other entities regulated by the state’s Department of Financial Services to establish cybersecurity programs to protect consumers’ sensitive data. The final rule takes effect on March 1, 2017, the same effective date provided in the proposed draft of the rule issued last December.
The regulation establishes controls to ensure financial firms maintain a “robust” cybersecurity programs to protect consumers’ personal data. It also establishes minimum standards for technology systems related to controlling access, encryption, penetration testing, and also creates standards to address breaches.
The Department released two drafts of the proposal for comment last year, and The Council submitted comments on both versions. The Council’s outside counsel, Steptoe & Johnson, is currently reviewing the final rule and will have a full analysis in the coming days.