N.Y. bank cyber regs revised after criticism
The New York Department of Financial Services, which regulates major banking and insurance players across the U.S. and beyond, is re-drafting its proposed cybersecurity regulations after criticism from industry.
In a brief, unsigned email to CyberScoop, the DFS public affairs office said the new draft would be released on Dec. 28, followed by a new 30-day comment period.
The proposed rule, published in September, was scheduled to come into force Jan. 1, after a 45 day comment period.
Under the proposal, banks and other financial services institutions regulated by DFS would have had to:
- Establish a cybersecurity program.
- Adopt a written cybersecurity policy.
- Designate a chief information security officer, or CISO, responsible for its program and policy.
- Have policies and procedures designed to ensure the cybersecurity of systems accessible to or run for the institution by third-parties.
Regulators said the 19-page proposal attempted to set a floor for cybersecurity, not a ceiling, and to leave institutions the flexibility they need.
But representatives from smaller banks expressed concerns this week at a hearing of the New York State Assembly Banking Committee.
Attorney Craig Newman, who attended the hearing and has been a critic of the proposed rule, said the criticisms from the financial services industry at the hearing and in public comments on the proposal broadly broke down as follows:
- Smaller banks worried that the rule takes a “one size fits all” approach. “The concern is that the regulation fails to align an institution’s risk profile with appropriate cybersecurity measures,” Newman said. “Obviously a small community bank has a very different risk profile from a major global institution. … You don’t want to end up throwing $1 million worth of security at $100,000 worth of risk.”
- There was also concern about the definition of a reportable data security incident, Newman said. “The feeling is, the definition needs to capture a materiality requirement,” he said. Institutions shouldn’t have to report all unsuccessful attacks.
- Finally, he said there was concern about the reach of the rule, which covered institutions from “major global players,” to a small insurance firm based in Iowa, with a New York outpost. “If their principle place of business is elsewhere … in Iowa or in Asia … to what extent do they have to implement the standards in the proposed regulation across their whole enterprise?” he asked.
“Everyone there,” he added of the banking industry representatives at the hearing, “was fully supportive of the intent of this rule to create a real-world cybersecurity regulation.”