Credit unions and banks already scrambling to comply with a number of different federal cybersecurity standards are raising concerns about a proposal from New York to layer on some additional state rules.
The plan by the New York Department of Financial Services (DFS), published last month, would require all financial institutions chartered in New York to follow a number of baseline measures, from appointing a chief information security officer to encrypting all non-public information and requiring multi-factor authentication from nearly all employees or customers.
Many institutions said the proposal is mostly redundant with federal standards, such as those outlined by the Federal Financial Institutions Examination Council's voluntary cybersecurity assessment tool. Yet it would still cost financial institutions more in compliance to ensure they are following the state rules, they said.
The plan might also tighten the screws on the cybersecurity requirements FIs face today. For one, financial institutions would have to file annual certification requirements with the New York regulator, promising they have complied with all of its cybersecurity standards – something that could be challenging to assess.
The New York Credit Union Association (NYCUA) told Credit Union Journal the league is "in the process of fully analyzing the proposal and developing our comment letter."
"We'll have more in-depth insights to share after we submit our comments to the [DFS]," said RJ Tamburri, NYCUA's communications director. "With that said, credit unions and financial institutions are already subject to cybersecurity requirements. We're going to be looking to the DFS to clarify the extent to which the current procedures financial institutions already have in place can be used to satisfy the requirements outlined in the proposal."
Cheryl Wicks, CEO and manager of Encompass Niagara Credit Union, a $16.8-million state-chartered institution based in Niagara Falls, N.Y., said while she has not specifically reviewed the latest cybersecurity regulations being proposed by Albany, she noted that any increased regulations imposes undue burdens on state credit unions, particularly smaller institutions like hers.
"It makes it very, very difficult for us and increases our cost burdens," she said. "I don't think they take that into account."
But not all of the response has been negative. Some credit unions suggested there is at least some good to be found in the new regulations in the form of added awareness.
Steven Krauser, the interim CEO at Melrose Credit Union, a state-chartered, $1.9-billion institution based in Briarwood, Long Island, told CU Journal that his credit union is "constantly working on keeping our systems safe and secure for our members," and the new rule could help to "build awareness" in the credit union community and with the public with respect to the threats that exist in our current online, connected society.
"We at Melrose Credit Union look forward to seeing these proposals implemented and plan on meeting or exceeding these requirements," he stated.
Bill Crane, chief administration officer, general counsel and chief information security officer at CFCU Community Credit Union, a $1-billion state-chartered institution based in Ithaca, N.Y., also lauded the state agency for giving financial institutions the opportunity to offer input into the process.
"We applaud the New York Department of Financial Services for allowing us (and other New York financial institutions) to be involved in the pre-development of these regulations through survey and other feedback sessions conducted by DFS in late 2013 and early 2014," he stated.
At this time, Crane added, CFCU Community CU is in the process of reviewing the DFS proposed cybersecurity regulations to protect consumers and financial institutions.
"Based upon our initial review of executive summary of the proposed regulations prepared by DFS, we are pleased to report that we are already in compliance with most – and perhaps all – of the proposed requirements highlighted in the executive summary," Crane concluded.
