Major banking and insurance industry groups are attacking New York’s proposed regulation requiring member companies to adopt stringent protections against cyberattacks that compromise consumers’ confidential information.
National groups including the Securities Industry and Financial Markets Association, the American Bankers Association and the Financial Services Sector Coordinating Council have filed public comments that are critical of nearly every major aspect of the state’s cybersecurity plan.
The plan “appears to impose inflexible, one-size-fits-all requirements,” the coalition said. They said federal regulators and other standard-setting organizations had crafted rules that were based on risk analyses and allowed more flexible guidelines.
Banking and insurance groups also called the Jan. 1 effective date “unworkable.”
The proposal by the state Department of Financial Services, among the first of its kind by state regulators in the United States, calls for all state-regulated banks and insurers to self-evaluate their cybersecurity vulnerabilities each year, develop updated security plans, create an immediate response plan for security breaches, and designate a qualified employee to act as chief security officer.
The rules also require cybersecurity training for all employees at financial institutions and require them to report all attempted or successful cybersecurity breaches to the state within 72 hours of their discovery (NYLJ, Sept. 15).
Gov. Andrew Cuomo has lauded the plan as representing “decisive action” to protect consumers and financial institutions from cybercriminals and terrorists in a state that is a national financial industry center.
The department published its proposal on Sept. 28 and accepted public comments through Nov. 14. Unless significantly altered by superintendent Maria Vullo (NYLJ, Sept. 26), the mandate will take effect Jan. 1.
The department said it would not release public comments until officials review them to see if they inadvertently contain any “proprietary” financial industry information. But copies of comments solicited by the New York Law Journal from industry groups themselves revealed their overwhelmingly negative evaluations.
They almost uniformly complained that the regulations fail to provide a “risk-based” approach to combating cyberattacks that takes into account where companies are most vulnerable, or provide the flexibility to apply the bulk of their resources to where the dangers of security breaches are worst.
In joint comments filed by eight influential financial services industry groups, the coalition said its members have sought to adhere to cybersecurity guidelines developed by the National Institute of Standards and Technology, the International Organization for Standardization and federal agencies, such as the Securities and Exchange Commission, the Federal Reserve and the Federal Deposit Insurance Corp.
The coalition said a hallmark of all other cybersecurity guidelines is that institutions are given flexibility to respond to weaknesses as they become apparent through risk-based analyses.
They argued that the New York plan does not do so.