WASHINGTON — Signs that New York's bank regulator will craft formal cybersecurity rules are prompting broader industry concerns that the state's aggressive approach will be the standard for other agencies as well.
The New York State Department of Financial Services last year already promised tough cybersecurity exams, and federal regulators have intensified their focus on all banks' cyber readiness. But the department put a finer point on its plans in a recent letter to federal and state agencies signaling "potential new regulations" — including required multifactor authentication and annual vulnerability assessments — while calling for "convergence" among all policymakers on cybersecurity rules.
Industry representatives worry the state will set the bar too high, not just for New York-chartered banks but throughout the industry.
"One of the concerns is to what extent does one particular state have the ability to impose security standards on all federally or nationally chartered financial institutions," said Kevin Petrasic, a partner at White & Case LLP.
Others said New York's apparent plans would go considerably further than the risk-based approach favored up to now by federal regulators. The federal agencies have signaled tougher cybersecurity reviews throughout the industry, and earlier this year unveiled an assessment tool for institutions to test their cyber readiness.
"The thing that makes the federal guidance helpful on third party relationships and on authentication is it is risk-based. It appears what New York is proposing is something that is much more rigid without regard to a risk assessment … on the perceived risk," said Lynne Barr, a partner at Goodwin Procter. She added, "Almost all of the things that the department is proposing to put in their regulations are things that are already required or considered best practices by banking institutions of all sizes."
The Nov. 9 letter from Anthony Albanese, the department's acting superintendent, said the regulatory framework under consideration would require state-chartered institutions to implement written cybersecurity policies, designate a chief information security officer, have procedures to protect data accessible to third-party service providers as well as the security of applications, conduct regular audits and notify the state department of cybersecurity incidents.
Albanese said that department reports and assessments show that institutions need to go even further than they have up to now in preparing for new cyber threats.
"Cyber security programs must remain dynamic to keep pace with this fast-changing landscape. Second, third-party service providers often have access to sensitive data and to a financial institution's information technology systems, providing a potential point of entry for hackers," he wrote.
"A company may have the most sophisticated cyber security protections in the industry, but if its third party service providers have weak systems or controls, those protections will be ineffective. Finally, the scale and breadth of the most recent breaches and incidents demonstrate that cyber security is a global concern that affects every industry at all levels."
Some believe the state's considered steps are necessary in light of the persistent threat level.
Dana Syracuse, a managing director at K2 Intelligence and former general counsel at the New York department, said the state is simply taking lessons from the past and taking steps to prevent future data breaches. "Any regulator when they are drafting regulation is wise to have costs in mind, but I think the kinds of things that are highlighted in this letter … are the things that when you look back at prior breaches, they could have mitigated or prevented those breaches," Syracuse said.
On multifactor authentication, the state is considering rules that have already been best practices in the industry. The rules would require multifactor authentication for customers accessing confidential information on web applications and that institutions have multifactor authentication "for all access to internal systems and data from an external network."
But as multifactor authentication practices continue to evolve, observers said, formal rules could be misguided since it is unclear whether new regulations could keep pace fast enough with changes in the industry. The federal regulators up to now have issue only guidance on multifactor authentication. Guidelines issued in 2005 said that in instances where single-factor authentication is not sufficient, institutions "should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
"How prescriptive are these regulations going to be in how the banks really conduct business? The use of multifactor authentication is the state of the art right now, but are there plans to update this as things move on and as things develop?" said Brian Knight, associate director for financial policy at the Milken Institute's Center for Financial Markets.
Kenneth Dort, a partner in Drinker Biddler's intellectual property group, said financial institutions "have been reluctant" to adopt new system changes to support multifactor authentication "not because the cost is so high but because of the convenience factor for its customers."
"I would sense a lot of pushback in terms of the hardware infrastructure requirements, particularly the multifactor authentication," he said.
Yet observers sounded most concerned about how potential rules by one state could become the model not only for other states but also federal regulators.
In the letter, Albanese voiced support for regulators getting on the same page regarding their cybersecurity policies.
"It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cyber security standards for financial institutions," he wrote.
Barr warned that it could be a slippery slope if states start requiring more than federal regulators on cybersecurity.
"Once one state starts this, we are going to start seeing other states doing it, too, so we are going to have this patchwork of rules and regulations that are not as flexible and we are just going to have this increase in cost of compliance."
But on the flip side, institutions could be caught in a difficult position if federal and state rules were different.
A "hybrid" federal-state regulatory framework "might be the worst of all … because you have federal law which has the virtue of being consistent and then you have state law that you are going to comply with," Knight said.
Doug Johnson, senior vice president for payments and cybersecurity at the American Bankers Association, said banks hope regulators adopt a unified approach.
"What we really need to do is make sure what we are not creating is one more additional framework which an institution has to map to, which creates the potential danger of it becoming a compliance exercise as opposed to a risk management exercise," he said.