(Adds comment from cyber security expert)
By Karen Freifeld and Jim Finkle
NEW YORK/BOSTON Feb 16 New York state announced
a final cyber security regulation on Thursday with mandatory
standards for banks and insurers to combat the ever-increasing
risk of cyber attacks.
The regulation, which takes effect March 1, follows a series
of high-profile data breaches that resulted in losses of
hundreds of millions of dollars to U.S. companies, including
Target Corp, Home Depot Inc and Anthem Inc
It lays out unprecedented requirements on steps financial
firms must take to protect their networks and customer data from
hackers and disclose cyber events to state regulators.
"These strong, first-in-the-nation protections will help
ensure this industry has the necessary safeguards in place" to
protect businesses and clients "from the serious economic harm
caused by these devastating cyber-crimes," Governor Andrew Cuomo
said in a statement.
New York attorney Jed Davis, a former U.S. federal cyber
crimes prosecutor, called the regulation a "game changer."
"No other state and no other federal agency has these kinds
of mandatory standards," Davis said.
The regulation will affect state-chartered and foreign banks
licensed to operate in the state, including Goldman Sachs Group
Inc, Barclays Plc and Deutsche Bank AG
, and all insurance companies that do business in the
The state in December delayed implementation of the
regulation by two months and loosened some requirements after
financial firms complained they were onerous and said they would
need more time to comply.
The new standards call for banks and insurers to scrutinize
security at third-party vendors that provide them goods and
services. In 2015, the New York Department of Financial Services
found that a third of 40 banks polled did not require outside
vendors to notify them of breaches that could compromise data.
The revised rule requires firms to perform risk assessments
in order to design a program particular to them, and gives them
at least a year-and-a-half to comply with the requirements. The
final rule took into account the burden on smaller companies, a
spokeswoman for the agency said.
Covered entities must annually certify compliance.
Luke Dembosky, an attorney in Washington, D.C., and a former
veteran cybercrime prosecutor, said the final, more flexible
approach in the rules reflects input from industry.
"It's now driven by a realistic assessment of one's cyber
security risks," he said. "The overriding complaint of the first
iteration was that it was much too prescriptive -- 'thou shall
(Reporting by Karen Freifeld and Jim Finkle; Editing by Dan