New York's Department of Financial Services has decided to rethink its controversial cybersecurity regulation just a couple of weeks before it was to take effect.
The department says it will publish revised rules Dec. 28 that will take effect March 1.
"The delay is a positive step and clear signal that DFS wants to get it right," said Craig A. Newman, a partner with Patterson Belknap Webb & Tyler and chair of the firm's privacy and data security practice group. "The stakes are high given New York's global prominence in the financial community and the fact that other regulators have already sat up and taken notice."
The DFS would not elaborate on what will be in the new version of its cybersecurity rules. But the decision to rewrite and reissue the regulation came two days after a hearing in Albany in which New York bankers unleashed a litany of complaints about the regulation to New York State lawmakers.
No one from the DFS participated in the hearing. Asked if the DFS wouldn't be an important party to have at the hearing, a department spokesperson laughed but would not comment. New York regulators and lawmakers have jousted in the past.
But the DFS was very aware of the hearing and surely listened to the many objections to its regulation that were raised there, which could be distilled down to some basic themes:
1. It would cost too much.
"We spend a great deal of manpower and money ensuring our security meets our risk profile," said Laura Mazzara, senior vice president and chief risk officer of Pioneer Bank, a community bank in the Albany area. "In reviewing the proposed regulation we feel there's a one-size-fits-all approach and we're concerned it doesn't fully take into consideration the operating environment as it varies from bank to bank and the impact that could have on small community banks. Certainly at Pioneer Bank, at $1 billion in assets, we will feel its financial impact."
One costly item is reporting.
"We're concerned that the volume of information required to be reported could be quite voluminous, numbering in the hundreds and potentially thousands of incident reports per year," Pioneer Bank Associate Counsel James Whalen said. "We're concerned about the cost to compile and provide such reports on the part of banking staff and DFS staff."
The compliance costs could prevent the bank from investing in community service and development and product and service enhancement and innovations, Whalen said.
2. Banks shouldn't be forced to hire CISOs.
The current proposed rule requires financial institutions to create a chief information security officer position, an executive who reports to the board of directors.
According to research conducted by IDT911, a provider of identity protection solutions, only half of U.S. banks today have an executive with this title. Some have questioned whether it's necessary.
"I think it's important to have one decision-maker who will take responsibility for security controls," Eric Hodge, director of consulting at IDT911, said in a recent interview. "I don't think it's important to have that particular title."
Whalen said that for a community bank, a CISO would be costly to hire and could be hard to recruit for in rural areas. Pioneer Bank has an information security officer – not a CISO – who reports to Mazzara.
Mazzara argued that a practical, technically adept ISO could be more useful in some ways than a CISO. "The difference between an ISO and a CISO may come down to strategy versus a tactical approach that requires technical qualifications to know how to be nimble and protect in a changing environment and address things quickly as they come up, to keep the bank secure," she said. "As opposed to an executive-level position that tends to be more strategic and not as technical as the ISO."
3. The rules are too tough.
"There's no question this regulation contains requirements that are substantially more detailed and much tougher than the federal regulations," Newman noted. For instance, it requires banks to file an annual report with the DFS confirming that a senior corporate officer or the board has reviewed the institution's cybersecurity policies and verified compliance. "That's a throwback to Sarbanes-Oxley when we had all the accounting scandals with Enron and WorldCom," he said. "This is in many ways unchartered territory in cybersecurity."
4. New York's regulation is too different from the federal rules of FFIEC, Federal Reserve, the OCC, the FDIC and even NIST.
Bankers who testified at the hearing all asked that the DFS bring its regulation in closer alignment with national rules.
"We very much disagree that prescriptive, potentially conflicting regulations issued by each state as well as the federal government will protect our company and the residents of the state of New York," said James Bopp, treasurer of the New York Mortgage Bankers Association and national correspondent sales manager at Platinum Home Mortgage. "Cybersecurity regulations issued by only one state this year will surely lead to additional and potentially divergent cybersecurity regulations issued in a few more states early next year. That pattern will continue and will create a patchwork of state requirements."
Bopp recommended that the DFS wait to see the new cybersecurity rules the Federal Reserve, OCC and FDIC are creating before coming out with their own.
State legislator David Weprin, a member of the banking committee, raised a counterargument: that a new administration in Washington may do a total overhaul of banking regulation. "That's why it's important that New York state proceed on its own dealing with their issues because who knows what's going to happen in Washington and how long it's going to take. There are going to be a lot of distractions in Washington."
5. The regulation is "one size fits all."
Small banks have much more limited resources than their larger bank brethren, therefore should not be made to meet all the same requirements, several at the hearing said.
And this is even truer for small title companies, which often have fewer than 10 staff members, said Robert Trueber, executive vice president of the New York State Land Title Association.
For instance, the cybersecurity regulation as currently written requires financial companies to encrypt and protect all "nonpublic" data. The only nonpublic data title insurance companies get is Social Security numbers when a deed is recorded, he said. "The extent of the controls, recordkeeping and reporting required by the DFS is disproportionate to the kind of nonpublic information title companies handle and the risk it poses to consumers," he said. "It is a common practice among title companies to destroy nonpublic information after the transaction is recorded. This is a practice that could easily be made a requirement by the DFS with a simpler and less onerous regulation."
6. It calls for too much incident reporting.
New York's current regulation requires banks to file a report of every cybersecurity incident within 72 hours. Banks have been uneasy about reporting all threats, especially those they successfully repel.
"They want some sort of materiality qualifier so the data compromise has to be material before it's reported to DFS," Newman said. "The current regulation doesn't contain that language. I can't tell you how many times clients face data security issues and we run them down and they end up being nothing. It's burdensome and unnecessary for them to report events if there's no material effect on the bank."
7. The extra regulation and reporting could create an impression that New York banks are less secure than others.
Whalen suggested that incidents reported under the New York regulation may be subject to public availability under the Freedom of Information Act, and that that could lead to a big reputation problem.
"The public nature of such reports coupled with the expanded mandate to report may result in community banks that properly report and follow the regulation to suffer reputational and monetary loss from customers who become aware of such reports, either through their own research or through media reports," Whalen said. "We're concerned that the public nature of these reports could create the false impression among community bank customers that New York State-chartered institutions are less secure than their federally chartered counterparts." Customers could leave for this reason, he said.
Other criticisms have touched on the strict requirements for vetting third-party vendors' security, the specificity of the rules around multifactor authentication, and the need to protect environmental control systems.
Next Wednesday, when the revised rules come out, we'll probably find out which of these arguments the New York regulators found moving.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.