New York State has drafted a regulation to require banks, insurance companies and other financial services institutions regulated by the State Department of Financial Services to establish and maintain "cybersecurity programmes."

Governor Andrew Cuomo announced the policy, claiming that it was designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. He hailed it as a major counterpunch against "state-sponsored organisations, global terrorist networks and other criminal enterprises."

The proposed regulation is subject to a 45-day notice and public comment period after its publication this week in the New York State register and before its final issuance. If passed, it will require every regulated financial institution to come up with a plan of action to bolster its cyber-security; to write down and follow a cyber-security policy; to appoint a chief information security officer who will be responsible for implementing, overseeing and enforcing its new programme and policy; and to design policies and procedures to ensure the security of information systems and non-public information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems. All questions and comments regarding the proposed rule should be emailed to CyberRegComments@dfs.ny.gov.

The NYDFS is describing its proposal as 'groundbreaking.' Before drafting the new regulation, it surveyed nearly 200 regulated banking institutions and insurance companies to gauge the industry's efforts to prevent cybercrime. It also met a cross-section of people in those firms, along with cybersecurity experts, to discuss emerging trends and risks and policies and procedures governing relationships with third-party software vendors.