Starting Monday, banking and insurance companies will have to comply with groundbreaking regulations established by the state Department of Financial Services aimed at deterring cyberattacks, and begin reporting any such attacks to the department.

Monday [Aug. 28] marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyberattacks, said DFS Superintendent Maria Vullo in a statement. The new rules, billed as first in the nation, set minimum standards for cybersecurity based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems from hacking and data breaches, she said.

The rules established in March (NYLJ March 2), which were tweaked after public comment from industry officials, require banks and insurance companies regulated by the Department of Financial Services to have state-approved plans to deter cyberattacks and report any attacks within 72 hours of when they occur. But there's still debate as to whether the regulations are too restrictive.

The state law is expected to have national and global impact because it affects financial services companies that do business in the state regardless of where they are located via regulatory, rather than legislative action as well as the law firms that represent them (NYLJ Aug. 25).

Mark Krotoski, a partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said many of the requirements established by the department are already in place at banking and insurance companies, such as having a chief information security officer and incident response plans.

Cybersecurity, by definition is a tailored response to protect data from potential risks. There is no one size fits all, and how you tailor that does vary from each organization he said in a phone interview. By mandating a number of requirements that either are already being done, or that may take away resources or redirect cost to comply with regulations rather than tailoring cybersecurity programs to whatever the organization needs, this is more a proscriptive regulation when you compare it with other regulations that are in other states, he said.

Krotoski also said that the 72-hour reporting requirement may not allow businesses to determine a full picture of the scope of the cyberattack. Oftentimes it may take weeks to assess what data was affected or what individuals were impacted by the attack, he added.

On the other hand, F. Paul Greene, a partner and chair of the privacy and data security practice group at Rochester business law firm Harter Secrest & Emery, told the New York Law Journal that organizations affected by the new regulations shouldn't have to recreate the wheel because they're likely doing what the regulations mandate already requires.