(Corrects Anthem stock symbol in paragraph 2 to ANTM.N from
ANTH.O. Corrects date of report in sixth paragraph to 2015 from
By Karen Freifeld and Jim Finkle
NEW YORK/BOSTON Feb 16 New York state on
Thursday announced final regulations requiring banks and
insurers to meet minimum cyber-security standards and report
breaches to regulators as part of an effort to combat a surge in
cyber crime and limit damages to consumers.
The rules, in the works since 2014, followed a series of
high-profile data breaches that resulted in losses of hundreds
of millions of dollars to U.S. companies, including Target Corp
, Home Depot Inc and Anthem Inc.
They lay out unprecedented requirements on steps financial
firms must take to protect their networks and customer data from
hackers and disclose cyber events to state regulators.
"These strong, first-in-the-nation protections will help
ensure this industry has the necessary safeguards in place" to
protect businesses and clients "from the serious economic harm
caused by these devastating cyber-crimes," Governor Andrew Cuomo
said in a statement.
The state in December delayed implementation of the rules by
two months and loosened some requirements after financial firms
complained they were onerous and said they would need more time
The new rules call for banks and insurers to scrutinize
security at third-party vendors that provide them goods and
services. In 2015, the New York Department of Financial Services
found that a third of 40 banks polled did not require outside
vendors to notify them of breaches that could compromise data.
The revised rule requires firms to perform risk assessments
in order to design a program particular to them, and gives them
at least a year-and-a-half to comply with the requirements. The
final rule took into account the burden on smaller companies, a
spokeswoman for the agency said.
Covered entities must annually certify compliance.
Institutions subject to the regulation include
state-chartered banks, as well as foreign banks licensed to
operate in the state, along with any insurer that does business
in New York.
A task force of U.S. state insurance regulators is also
developing a model cyber security law, which individual state
legislatures could ultimately choose to adopt.
(Reporting by Karen Freifeld and Jim Finkle; Editing by Dan