WASHINGTON — New York Gov. Andrew Cuomo on Tuesday announced the proposal of a state regulation requiring banks to develop and maintain a cybersecurity program. The plan, the first of its kind in the nation, could have far-reaching effects on some of the nation's largest banks.
The proposal would require covered financial institutions to develop a cybersecurity program that identifies, detects, responds to and resolves cybersecurity threats. The rule would also require covered institutions to develop and maintain policies for reducing cybersecurity risk and procedures for maintaining relationships with third-party service providers. Institutions would also have to designate a Chief Information Security Officer responsible for implementation of the requirements.
Cuomo said the proposal, which is subject to a 45-day notice-and-comment period, is a critical measure for the state to take to protect some of the most important financial firms in the U.S.
"New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises," Cuomo said. "This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
The Financial Stability Oversight Council consistently lists cybersecurity threats as among the leading threats to financial stability, but regulators have been slow to adopt national standards. The Federal Deposit Insurance Corp. acknowledged during a congressional hearing in July that the agency had not done enough to protect important bank data. The Federal Reserve has also been in talks with banks and other regulators for how to devise a future national rule setting cybersecurity standards.