New York State Department of Financial Services proposes security regulations

The Department is proposing to require all entities to develop, implement and maintain a cybersecurity program to address twelve identified aspects of cybersecurity planning and readiness, including: information security, data governance and classification, access controls and identity management, business continuity and disaster recovery planning, capacity and performance planning, system operations and availability, system and network security, system and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third-party service provider management and incident response.

Businesses subject to the Department’s proposed regulations would be expected to stay ahead of new cybersecurity threats and countermeasures and to train and employ personnel to adequately manage their cybersecurity risks.

The Department will require covered entities to adopt multi-factor authentication in connection with providing access to their internal systems or data from external networks, including customer access via web-based applications or other privileged access to database servers containing confidential information. The proposed regulations would also require covered entities, as part of their cybersecurity program, to conduct annual penetration testing and quarterly vulnerability assessments, and to maintain a system to collect, store and protect access data in order to preserve an audit trail.