New York Gov. Andrew Cuomo on Tuesday announced the proposal of a state regulation requiring state-chartered credit unions and other regulated financial institutions to develop and maintain a cybersecurity program. The plan, the first of its kind in the nation, could have far-reaching effects on some of the nation's largest credit unions.
The proposal would require covered financial institutions to develop a cybersecurity program that identifies, detects, responds to and resolves cybersecurity threats. The rule would also require those institutions to develop and maintain policies for reducing cybersecurity risk and procedures for maintaining relationships with third-party service providers. Institutions would also have to designate a Chief Information Security Officer responsible for implementation of the requirements.
The New York Credit Union Association is in the process of assessing the exact impact that the proposal will have on the state's credit unions, as well as "working with their member credit unions to make sure their concerns are heard by the [New York State Department of Financial Services] and the Governor's office," said RJ Tamburri, NYCUA communications manager.
Cuomo said the proposal – which is subject to a 45-day notice-and-comment period – is a critical measure for the state to take to protect some of the most important financial firms in the U.S.
"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises," Cuomo said. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
The Financial Stability Oversight Council consistently lists cybersecurity threats as among the leading threats to financial stability, but regulators have been slow to adopt national standards. The Federal Reserve has also been in talks with financial institutions and other regulators for how to craft a future national rule setting cybersecurity standards.
