Bookmark and Share

State Board Report

March 2017

As of March 1, New York became the first state to have in effect cybersecurity regulations to protect the state’s financial services industry and consumers from the threat of cyberattacks. Banks, insurance companies and other financial services institutions that are regulated by the New York Department of Financial Services are now required to establish and maintain a cybersecurity program. The regulation encourages firms to keep up with technological changes, but it also sets regulatory minimum standards including:

  • Controls relating to the governance framework of the cybersecurity program (funding, staffing, oversight management, and periodic reporting to senior governing body);
  • Risk-based minimum standards for technology systems (access controls, data protection, penetration testing);
  • Required minimum standards to help address cyber breaches (incident response plan, preservation of data, notice to DFS of material events);
  • Required identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

AICPA President Barry Melancon met with the CPA and Accountants Caucus (Rep. Michael Conaway (R-TX), Rep. Collin Peterson (D-MN), Rep. Tom Rice (R-SC) and Rep. Brad Sherman (D-CA)), on February 2 to provide an overview of the future of the CPA profession, including its efforts in cybersecurity.

Late in 2016, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation issued a joint advance notice of proposed rulemaking on enhanced cyber risk management standards for entities under their supervision and their service providers. On February 17, the National Association of Insurance Commissioners sent a letter in response to the notice outlining the steps they have taken to enhance data security and reporting they are working toward developing an Insurance Data Security Model Law. In concluding their comments the NAIC leaders state: “We recognize that cybersecurity and associated regulatory concerns stretch beyond the insurance sector and we encourage coordination among financial regulators as we develop strategies to protect the financial infrastructure of this country.”

Related News

Full Issue