New regulations on cybersecurity have been published by the New York State Department of Financial Services. 23 NYCRR Part 500 will have a major impact on American business as it has serious requirements and mandates for all financial services companies doing business in New York state–which of course are almost all of them. A good article on the topic is is at https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial. Significant requirements include:

• Policy & Program: Covered entities must instate and maintain a documented cybersecurity policy, and adopt a robust cybersecurity program, by August 28, 2017.
• CISO: Designate a qualified Chief Information Security Officer (CISO) to oversee and implement the cybersecurity program and enforce policy.
  • The CISO must submit a written report annually to the Board of Directors and an annual compliance certification to the Department of Financial Services.
• Data encryption: Organizations must enact controls, including encryption of sensitive data, depending on the outcome of a risk assessment.
• Continuous monitoring: Covered entities must continuously monitor cybersecurity functionality OR conduct annual penetration testing and bi-annual assessments.
• Enhanced multi-factor authentication: Covered institutions must employ multi-factor authentication for all inbound connections to the entity’s network.
• Incident reporting: Covered entities must document and report all cybersecurity events.