New York – first in the US to release financial institution cybersecurity regulations

New York State’s Department of Financial Services recently released an updated cybersecurity proposal that will come into effect on March 1, 2017. The proposed regulation will require all NY financial institutions to implement security measures in order to protect against cyberattacks. Comments on the proposal are open until the end of January, after which the final version will be put into action.

New York is the first to mandate financial institution cybersecurity regulations and other states are likely to follow suit.


Covered entities must submit an annual written certification to the superintendent of financial services to demonstrate their compliance with the regulation.

Among its many provisions, the regulation will require organizations to maintain a cybersecurity policy and program, implement risk assessment controls and an incident response plan, provide regular cybersecurity awareness training, conduct penetration testing and identify vulnerabilities, and encrypt non-public information.

In addition, records, timetables, and information supporting the certificate must be kept for five years for inspection by the department.

Organizations that are exempt

The proposal clarifies that companies with fewer than 10 employees, and that have less than $5 million in revenue (for the last three years) or assets that do not exceed $10 million are exempt from many of the regulation’s requirements.


Implementation will be especially challenging as there are many different compliance deadlines, which range from six months to two years, so financial organizations should begin preparing now.


The proposal omits the exact penalties for failure to comply and submit the annual certification, but IT Governance will closely follow any changes and penalties as they are released by the department and report them here.

Sign up for our newsletter, the Daily Sentinel, to receive all the latest updates >>