New York’s Cyber Regulation: A National Blueprint?

New York’s top banking regulator would like the state’s new sweeping – and highly detailed – cybersecurity regulation to serve as a national model for insurance companies in safeguarding their institutions from cybercrime.

In a speech to the National Association of Insurance Commissioners (NAIC) on Sunday, Maria T. Vullo, superintendent of the New York State Department of Financial Services, said that “[t]he New York regulation is a road map with rules of the road.”

“We believe the best way for the industry to focus on the threat of cybersecurity is to have a consistent framework,” said Ms. Vullo.  Her remarks to the NAIC were reported by Reuters.

The New York cyber regulation, which went into effect on March 1^st, sets forth a series of requirements, many of which must be implemented by the end of August.  The requirements range from designating a chief information security officer to mandatory board reports and yearly compliance certifications.  Institutions covered by the regulation include banks and insurers that operate in the state as well as branches of foreign and out-of-state banks.  We have reported extensively on the regulation.

For its part, the NAIC has been at work for more than a year in drafting a proposed model cybersecurity law, but its membership has not uniformly supported the approach taken.  The model law is now in its fourth iteration.  A new draft is expected next month.