In early September, New York Governor Andrew Cuomo introduced new regulation that would make the state the first in the nation to enforce a cybersecurity program for financial institutions. While some have compared the regulation to the FFIEC (Federal Financial Institutions Examination Council)’s Cybersecurity Assessment Tool and guidelines, the proposed regulation would actually go much farther in its quest to ensure all financial institutions in NY are prepared for and are doing their best to prevent cyber attacks.
The proposed regulation takes the guidelines from the FFIEC a bit farther by imposing a reporting obligation and requiring the formal appointment of a CISO to be held accountable for implementing and reporting on the cybersecurity program.
Much like the FFIEC’s five preparedness functions:
New York’s proposed regulation will require financial institutions to create a cybersecurity policy with six key components:
Per McGuireWoods LLP, a couple other important pieces in the proposed regulation include the notification requirement within 72 hours of a breach to DFS, but not to customers, and the lack of a requirement or even recommendation to acquire cybersecurity insurance. This is notable, as the DFS was the first financial regulator in the country to include cybersecurity insurance as part of its examinations in late 2014.
The regulation applies to all financial services companies (including banks and insurance agencies) regulated by the State Department of Financial Services, with very few exceptions, listed below:
It is unclear, however, if the regulation will also apply to federally chartered institutions, since the language around “covered entities” was left quite vague, per Harris Beach.
Doug Johnson of the American Bankers Association said in an interview with Homeland Preparedness News that the NY regulation was “fairly consistent with what our responsibilities are at the federal regulatory level,” though they are seeking clarification on a couple pieces of the regulation, including:
The ABA has been working with the Department of Financial Services in an attempt to harmonize the different regulations and data breach notification policies from state to state and even nationally, arguing the need for a national law to eliminate the confusion.
It’s notable that the first state to make a foray into cybersecurity regulation is NY, due to its status as a financial center. In a press release, Governor Cuomo stated "New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Because of New York’s influence, this is unlikely to be last we hear of a state regulatory body moving into the cybersecurity space. In fact, we’d be willing to bet that several others will soon follow suit, potentially paving the way for a national standard after all.
In the meantime, financial institutions looking to get ahead on risk management and customer security can check out our tear sheet on how Rippleshot’s Sonar product can help identify risks and confirmed breaches of cardholder information early and accurately:
You have fraud frustrations? We have the solutions. Let's discuss what you are dealing with and we can learn more and share how we can help.