The New York Department of Financial Services ("DFS") on November 10, identified cybersecurity requirements for the banks and insurance companies it regulates, including mandatory annual audits, enhanced identity authentication for key databases and a mandate that firms have a single executive charged with managing their information security. This announcement followed DFS’ surveys of both the banking and insurance industries and a February 2015 public pronouncement that regulatory measures directed to insurers and their agency force would be forthcoming. The announcement is consistent with the recent development by the National Association of Insurance Commissioners (NAIC) of its Principles for Effective Cyber security Insurance Regulatory Guidance.
DFS Acting Superintendent Anthony Albanese raised cybersecurity concerns and proposed solutions in a letter to the Financial and Banking Information Infrastructure Committee, a federal group looking at issues such as banking infrastructure.
A copy of the announcement is available here.
While New York is one of the few states that has publicly announced cyber security initiatives, the activity may be the first in a series of proactive regulatory developments governing the cybersecurity of regulated entities.