Letter Filed with NY Department of Financial Services Opposing Proposed Cybersecurity Requirements for Financial Firms
Technology Committee RE: Letter Filed with NY Department of Financial Services Opposing Proposed Cybersecurity Requirements for Financial Firms
During the meetings of ICI’s Technology and CISO Advisory Committees earlier this month, we discussed the New York’s Department of Financial Services’ rule proposal that would impose very prescriptive and unrealistic requirements on financial services firms regulated by the Department.[1] As we discussed, because mutual funds are regulated by the Office of New York’s Attorney General, and not by the Department of Financial Services, the proposal will not directly impact our members’ mutual fund business. However, depending on the nature of their business and services they may provide to a person regulated by the Department, it may impact them.
To address the concerns of our members with the proposal, on November 14th the Institute joined a letter the National Business Coalition on E-Commerce and Privacy submitted to the Department opposing the proposal.[2] To ensure that our members’ concerns with the Department’s proposal were sufficiently addressed, the Institute played a primary role in drafting the Coalition’s comment letter.
In summary, the Coalition’s letter opposes the Department’s proposal because, among other things:
- The Department failed to demonstrate why the proposal is necessary in the public interest;
- The Department failed to consider both the material costs to institutions that would result from implementing the proposal (both initially and on an ongoing basis) and the work that must be done by institutions in order to implement fully (and the amount of time it would take to implement fully) the proposal’s requirements;[3]
- The proposal is unnecessarily broad;
- The proposal is unduly prescriptive, which is at odds with enabling financial institutions to tailor cyber security programs that are appropriate to their size and complexity, the nature and scope of their activities, and the sensitivities of the information that they maintain;
- Sections within the proposal are so vague and ambiguous as to pose an implementation challenge to financial institutions; and
- The proposal is needlessly inconsistent with the requirements the Federal Government has imposed on financial institutions to ensure that they protect our financial markets and the privacy interests of such institution’s customers.
Each of these concerns is discussed in detail in the Coalition’s letter. In addition to filing the comment letter with the Department, a member of the Coalition’s staff, who has contacts with the Department, has met with representatives of the Department to impress upon them the seriousness of our concerns.
A copy of the Coalition’s letter is attached. We will keep you apprised of developments relating to the Department’s proposal.
Tamara K. Salmon
Associate General Counsel
endnotes
[1] For those of you who were not at the recent Committee meetings and who may not be familiar with the Department’s proposal, you can find out more about it through the following links:
- The September 2016 announcement of its publication by Governor Cuomo: http://www.dfs.ny.gov/about/press/pr1609131.htm;
- The Department’s 3-page summary of the proposal: https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/DFSCybersecurityRegulations.pdf;
- The proposed regulations (12 pages): http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf; and
- The Department’s 2014 Report that, in part, was the basis for the rulemaking according to Gov. Cuomo’s press release and that is referred to in the comment letter: http://www.dfs.ny.gov/reportpub/dfs_cyber_banking_report_052014.pdf
[2] The Coalition consists of brand name companies, some of which are financial services companies and some of which engage in financial services as an essential part of their business. The Coalition was formed in the wake of the Gramm-Leach-Bliley Act and it seeks to contribute productively to reasonable regulation and public policy relating to electronic commerce and privacy issues. The Institute is a founding member of the Coalition and serves as its Vice Chair. The other members of the Coalition include: Acxiom Corporation; Ally; Bank of America; Charles Schwab & Company; Deere & Company; Experian; Fidelity Investments; General Motors Corporation; JP Morgan Chase & Co.; Principal Financial Group; the Vanguard Group; and Visa, Inc.
[3] The Department expects that these new rules will become effective on January 1, 2017 with an implementation period of 180 days. As you’ll see from reading the Coalition’s letter and the proposed rules, this is an impossibility due to the rigorous and numerous requirements in the rules.