New York cybersecurity regulations too onerous, banks and other critics say

31 January 2017 9:55am
New York Sun

December 21, 2016. By Xiumei Dong

New cybersecurity regulations set to be implemented by the state of New York’s financial regulator will not only create burdens for financial institutions but could also overwhelm regulators who will have to analyze cybersecurity reports, banks and other critics said.

In September, New York Governor Andrew Cuomo and his state’s Department of Financial Services proposed “first in the nation” cybersecurity regulation aimed at protecting consumers from increasing cyberthreats (see here).

Scheduled to be enacted Jan. 1, the regulations require “covered entities” such as insurance companies and other financial services institutions to establish a written cybersecurity program, designate a chief information security officer to oversee the program, and comply with other specific requirements such as cybersecurity training for all employees. They also require institutions to report all possible cybersecurity breaches to the state within 72 hours of their discovery.

Critics said the reporting requirements, including the 72-hour reporting deadline for breaches, are too stringent.

Given the nature and wide variety of types of cybersecurity breaches, “72 hours often is not enough time to develop the information needed to provide an adequate notification,” said Charles Horn, a lawyer at Morgan, Lewis & Bockius who submitted a comment on behalf of his firm.

The state regulatory agency declined to comment.

Since the regulations were proposed, financial industry groups and law firms have submitted comments, criticizing the state’s cybersecurity plan for being “highly prescriptive.”

A coalition that includes the Securities Industry and Financial Markets Association, the American Bankers Association and the Financial Services Sector Coordinating Council commented that “the proposal appears to impose inflexible, one-size-fits-all requirements.”

“Cybersecurity regulations issued by only one state — or by several states — without an effort to converge and coordinate with existing cybersecurity requirements will lead to confusion, additional costs, and a misalignment of cybersecurity operations within the industry,” the groups said.

While New York is the first state to seek to regulate cybersecurity, experts said other states could follow suit. So far though, states such as California, which is frequently active in the digital arena, haven’t proposed similar regulations.

“It wouldn’t surprise me to see other states thinking about doing the same thing,” said Horn.

Since financial institutions have to deal with cyberthreats across the country, Horn said state and federal regulators should seek “greater uniformity” in creating any new regulatory requirements, which would make it easier for the financial institutions to comply.

Some also argued that New York’s proposed regulation won’t have much of an impact on the financial sector because existing federal laws, such as the Gramm-Leach-Bliley Act, already require banks to develop an information security plan to safeguard customer’s sensitive data.

While the new regulations also include elements that target smaller financial services that fall outside that 1999 law, because technology evolves so rapidly, shifting from a risk-based model to a compliance-based one is more likely to overwhelm than benefit them, said Heidi Wachs, a privacy and data breach expert at Jenner & Block.

On Oct. 19, a group of federal banking regulators — including the US Federal Reserve’s Board of Governors, the US Treasury Department’s Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corp. — issued a proposal regarding enhanced cyber risk management standards that would apply to certain “large and interconnected” banking organizations and financial institutions (see here).

Their offering does not propose specific standards itself; rather, it details various proposals and concepts under consideration by the agencies. Comments on it are due Jan. 17.