Why the New York Banking Cybersecurity Regulations Are Imperative and Timely

New York Governor Andrew Cuomo’s announcement of proposed new and far-reaching regulations to protect New York State banks, financial institutions and insurance companies against escalating threat of cyberattacks is both timely and imperative. The regulation requires institutions to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York’s financial services industry.


The proposal is a landmark initiative to elevate the security posture and preparedness of New York’s thousands of financial institutions in combatting cyber-crime through a cybersecurity program that performs five core functions:

  1. Identification of cyber risks.
  2. Implementation of policies and procedures to protect unauthorized access/use or other malicious acts.
  3. Detection of cybersecurity events.
  4. Responsiveness to identified cybersecurity events to mitigate any negative events.
  5. Recovery from cybersecurity events and restoration of normal operations and services.

In addition, the program calls for the appointment of a qualified Chief Information Security Officer (CISO) responsible for implementing and enforcing its cybersecurity policy. Moreover, third party service providers are called out for special scrutiny and are required to achieve minimum cybersecurity practices to ensure the security of non-public information.

Centrify’s Point of View

Centrify CEO, Tom Kemp, states, “this is an imperative bar raise for the financial services industry,” and that, “most tier-1 institutions are well placed to meet new regulatory compliance standards. However, hundreds of smaller, less well funded institutions will require professional services to help retool their security infrastructure and policy.”

“These regulations will help protect all institutions from the leading attack vectors, compromised credentials and misuse of privileges within an organization. The particular reference to third party service providers is welcome, as recent highly publicized data breaches were caused by compromised 3rd party systems.”

Platform approaches to secure cloud and on-premise infrastructure, protect user identity and prevent misuse of privileged accounts are essential in reducing legacy drag, complexity and staffing to meet proposed requirements,” added Kemp.

Centrify will present a comprehensive set of policy guidelines and a next generation identity and access management platform in conjunction with its global integration partners in response to the New York State request for public comment.

Learn more about the Centrify Identity Platform here.