New York state would be the first in the United States to implement its own set of cyber security regulations for financial services providers under proposed regulations presented last week.

Applicable to any company registered by the New York State Department of Financial Services, the regulations will require banks, insurance companies and other financial institutions to establish a cyber security program and appoint a chief information security officer. The state claims that the regulations are designed to protect consumers and ensure the safety and soundness of the financial services industry.

“New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information,” New York Financial Services Superintendent Maria T. Vullo said in a statement. “This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

According to The Wall Street Journal, the regulations provide financial firms more flexibility than previous drafts, including allowing firms to report cyber attacks within 72 hours of determining that a breach happened, instead of having 72 hours from the time of the actual breach. The regulations also detail the requirement of firms to undertake periodic risk assessment of cyber security programs, encryption of non-public information, and the development of an incident response plan.

“It’s clear that New York State took the public’s concerns seriously, and in doing so, created a much stronger and more effective set of regulations that will protect both consumers and the banks themselves — without imposing needlessly burdensome or costly requirements,” Tanium Chief Security Officer David Damato told Financial Magnates. “They’ve gotten rid of the one-size-fits-all approach that hampered the original regulations by recognizing that each bank should tie their cybersecurity approach to their individual risk assessment. The State has also recognized that reporting every single incident — even unsuccessful ones — would have been unfeasible for large banks that see thousands of attempted intrusions every day.”

Implementation of the regulations has been pushed back to Mar. 1 after initially being proposed for this month, with financial institutions being given six months to comply.

Image credit: Pixabay/Public Domain CC0