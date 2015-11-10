(Adds details about hacker indictments in 4th paragraph,
By Suzanne Barlyn
Nov 10 New York State's financial services
regulator on Tuesday unveiled details about potential new cyber
security regulations for banks and insurance companies under its
jurisdiction.
The measures, which follow a string of high-profile hacking
incidents, would include everything from requiring that firms
appoint a chief information security officer and adopt a
multi-stepped process for allowing employees and customers to
log into their systems.
The details were outlined in a letter sent by the New York
Financial Department of Services (NYDFS) to other state and
federal regulators, and are the most comprehensive information
to date about the planned regulations.
NYDFS publicized the letter on the same day that U.S.
prosecutors unveiled criminal charges accusing three men of
helping run a sprawling series of hacking and fraud schemes,
including a huge 2014 attack against JPMorgan Chase & Co
, that generated hundreds of millions of dollars of
illegal profit.
"It is our hope that this letter will help spark additional
dialogue, collaboration and, ultimately, regulatory convergence
among our agencies on new, strong cyber security standards for
financial institutions," wrote Anthony Albanese, acting NYDFS
superintendent, in a letter to numerous regulators, including
the U.S. Office of the Comptroller of the Currency and Federal
Reserve Board of Governors.
The NYDFS regulations, if ultimately adopted, would require
firms to adopt written cyber security policies and procedures in
12 areas, including customer data privacy and network security.
Firms would also have to develop policies to require that
outside service providers also keep data secure.
The planned measures follow surveys that NYDFS conducted
between 2013 and 2015 about cyber security programs of companies
it regulates. An April report, for example, revealed that
one-third of the 40 banks NYDFS had surveyed in 2014 did not
require outside vendors to notify them of data breaches, which
could compromise bank data.
Firms, if the measures are adopted, would have to conduct
annual testing and auditing of their cyber security systems.
Each firm's chief information security officer would also have
to submit an annual report to NYDFS, informing the regulator of
possible vulnerability to risks.
NYDFS has been mulling potential regulations for more than a
year. Benjamin Lawsky, the agency's former superintendent,
discussed the issue at a Reuters Financial Regulation Summit in
May.
