The New York Department of Financial Services announced last week that it will revise and delay the effective date of its proposed cybersecurity regulation. The announcement came two days after New York bankers brought up a number of criticisms of the proposed rules at a hearing before the state’s Standing Committee on Banks.
At the hearing, bankers lamented that the proposed regulation will prove too burdensome to implement, particularly for small community banks. Chief among their concerns were the following:
Cost. The banks argued that extensive reporting obligations and the requirement that all banks hire a Chief Information Security Officer will strain bank resources, potentially resulting in a decline in product development and bank community service.
Conflicts with Federal Regulations. The bankers noted that the OCC, FDIC, and Federal Reserve are all currently working on cybersecurity rules of their own and expressed the concern that “this regulation will create a disparity between the standard that we’re expected to meet on the federal side and the standard in this new proposed regulation.”
One Size Fits All Approach. The proposed regulations require that small community banks comply with many of the same requirements as banks which operate on a much larger scale.
Too Much Incident Reporting. Bankers noted the need for “some sort of materiality qualifier so the data compromise has to be material before it’s reported to DFS.” The proposed regulations currently require banks to report all cybersecurity incidents, even those which are successfully thwarted, within 72 hours. Because some incident reports could be subject to Freedom of Information Act requests, the Banks worry that the proposed regulations could result in an impression that New York banks are less secure or subject to more cyberattacks than banks in other states.
A new draft of the proposed regulations will be released by DFS on December 28, 2016.