New York State's top banking regulator Benjamin M. Lawsky released details Wednesday of his plan to require the state's financial institutions — including credit unions — to upgrade their cyber-defense systems.
Lawsky, superintendent of the New York State Department of Financial Services (DFS), wants to increase the focus on data protection in the department's IT examinations and risk assessments, among other things.
"The Department encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology," Lawsky said in a memo. "To that end, the Department has incorporated into the examination new questions and topics, which will be embodied in pre-examination."
Credit unions and banks will now be required to, among other things, answer questions about their cyber infrastructure in a pre-examination questionnaire known as a "First Day Letter."
The questions will cover a range of topics, including the financial institutions' reporting structure for cybersecurity issues, plans for information security testing and insurance coverage for third-party liabilities.
New York Governor Andrew Cuomo said in May that he had ordered the department to conduct regular assessments of the state's CUs and banks to focus on protecting consumer data.
Impact on Empire State CUs
Michael LaNotte, the senior VP for association services and general counsel for the Credit Union Association of New York (CUANY), told Credit Union Journal that CUs take the security of their members' data very seriously and already meet very high security standards as part of their compliance obligations.
"They understand, however, that the need for a robust cyber-security program goes beyond meeting the legal and regulatory requirements because the impact of a cyber-breach has a direct, negative effect on their members' finances, privacy and peace of mind," LaNotte said.
But he cautioned that such new rules will only add to the high regulatory/compliance burdens on credit unions.
"Therefore, while there may be aspects of the factors [that] the DFS will access that require some credit unions to enhance their data security programs, we believe the vast majority of these factors are already in place at New York's credit unions," said LaNotte.
NAFCU's Senior Vice President of Government Affairs and General Counsel Carrie Hunt said NCUA has strong rules in place for ensuring that CUs have appropriate and effective security programs.
"Credit unions have a strong track record of regulatory compliance and constantly strive to protect their members' data," Hunt said, citing a recent survey of NAFCU members that found that CUs not only meet the regulatory requirements, but also voluntarily implement many of NCUA's suggested best practices to better safeguard members' data.
Michael Mattone AVP of public relations at the $2 billion Municipal Credit Union in New York, said MCU strives to maintain the highest standards with regard to keeping member data secure at all times.
"Like all credit unions, MCU is subject to the data security standards set forth under the Gramm-Leach-Bliley Act," Mattone told Credit Union Journal. "In addition, MCU works diligently to safeguard all member personal and account data through many operational policies and procedures we have in place.
MCU already maintains the high level of protections that Lawsky is calling for, said Mattone, adding, "We feel that data security is a shared responsibility between all parties that hold member data. The fact that merchants are not subject to the same data security standards as credit unions and other financial institutions is something that needs to change to ensure all member data continues to be safeguarded effectively."
But Dennis Dollar, principal partner of Dollar Associates, an Alabama-based credit union consulting firm, said because cyber-security is a major risk-focus for both CUs and banks, many regulators are "rightly increasing" their focus in this arena.
Dollar noted that cyber-security pose a greater potential cost to credit unions than some other areas of regulation such as the excessive focus on CUSOs, loan participations and associational field of membership issues.
"Very few of the areas of recent regulatory action, at least among credit unions, are even close to creating the [financial magnitude] of risk that is inherent in fraud and data security," he added.
