New York’s recently proposed cybersecurity rules could push other states and the federal government to adopt similar measures to combat the growing threat posed by cyberattacks—even as certain aspects of the plan likely will present challenges for financial services firms.
Unveiled in mid-September by the New York Department of Financial Services (NYDFS), the plan was touted as a first of its kind by New York Governor Andrew Cuomo. It would require banks, insurance companies and other financial services providers regulated by the NYDFS to meet cybersecurity standards set by the agency. Although state and federal regulators have in the past set forth expectations of cybersecurity standards, they’ve done so through guidance, rather than clear-cut rules. In mandating specific cybersecurity measures by law, NYDFS could pave the way for other regulators to do the same. Many of the proposals in the New York plan also were called for in guidance earlier this year by the Federal Financial Institutions Examination Council, an intra-agency body that includes the FDIC, Federal Reserve and the Office of the Comptroller of the Currency.
Even though banks and other financial institutions in many cases already have policies in place that align with the NYDFS proposal, firms may struggle to ensure total compliance with all aspects of the rules once they go into effect. Among the potential stumbling blocks are issues involving customer notification in the event of a breach and monitoring how third-parties handle customer data. Firms that aren’t in compliance risk an enforcement action if a breach occurs or any issues arise during a review by the NYDFS.
The proposed New York regulation was scheduled to be published in the New York State Register on Sept. 28, and currently is subject to a 45-day public comment period.
- New Cybersecurity Rules on the Way in New York
- NYDFS Eyes Third-Party Cybersecurity
- FFIEC Letter Urges Banks to Further Defend Against Cyberattacks