WASHINGTON – Bankers already scrambling to comply with a number of different federal cybersecurity standards are raising concerns about a proposal from New York to layer on some additional state rules.
The plan by the New York State Department of Financial Services, published last month, would require all financial institutions chartered in New York to follow a number of baseline measures, from appointing a chief information security officer to encrypting all nonpublic information and requiring multifactor authentication from nearly all employees or customers.
Many institutions said the proposal is mostly redundant with federal standards, such as those outlined by the Federal Financial Institutions Examination Council's voluntary cybersecurity assessment tool. Yet it would still cost banks more in compliance to ensure they are following the state rules, bankers said.
Financial institutions "will have to spend significant amounts of money and resources trying to reconcile these requirements to the existing frameworks that already exist out there," said Simone Petrella, the chief cyberstrategy officer at CyberVista.
Regulatory overlap could also have a chilling effect on information sharing of cybersecurity incidents, according to critics of the plan.
One of its provisions would require institutions to keep the New York regulator in the loop on anything they report, whether to other government entities or industry-led groups like the Financial Services - Information Sharing and Analysis Center.
"It's an example of businesses being stuck between a rock and hard place," said James Pastore, a partner at Debevoise and a former federal prosecutor focused on cybersecurity. "Of wanting to cooperate with law enforcement in order to capture the bad guys, but on the other hand being worried about inviting regulatory scrutiny."
It might even affect banks' willingness to share data on incidents that did not pose a direct threat to them, but that could harm other banks, according to industry representatives.
"We share information largely about unsuccessful attempts to compromise financial institutions as opposed to successful attempts," said Doug Johnson, the senior vice president and chief adviser in payments and cybersecurity policy at the American Bankers Association. "We would not want any regulation at the state or federal level to impede that ability."
At the same time, Johnson said, banks typically share most of this data with regulators already.
"I think that [disclosure] requirement frankly already exists," he said. "When an examiner comes into a financial institution, they're going to ask as part of the examination process what significant computer events [and] intrusions occurred, reported or unreported."
The proposed notification requirement harks back to the Cybersecurity Information Sharing Act, a law passed in December that details how government and third parties should communicate on breaches and other threats.
One hotly debated feature of the original bill was the creation of a national alert system for cybersecurity incidents. The states, which worried that this could lower the reporting standard imposed on companies in their jurisdiction, eventually won out, and the national notification standard never came to be.
Now it appears that New York has taken matters into its own hands, asking banks to send any information they would share with federal regulators.
"New York has really leaned forward," Pastore said. The state "has now issued much more granular cybersecurity regulations than any other state."
The plan might also tighten the screws on the cybersecurity requirements banks face today.
For one, financial institutions would have to file annual certification requirements with the New York regulator, promising they have complied with all of its cybersecurity standards – something that could be challenging to assess.
"We all take cybersecurity very seriously," Johnson said. "But I think certifying compliance with the cybersecurity regulation is a little different ... than certifying to the completeness and accuracy of a financial statement."
Critics of the proposal also argue that the plan's reporting window – 72 hours – does not give banks enough time to evaluate whether an incident really presents a threat.
Petrella recalled one case when a client institution had identified unknown devices on its network. "Your first reaction is to freak out, and you want to report that," she said.
But after some investigation, the company realized the devices were just old, forgotten fax machines.
If "you end up providing really premature information," said Petrella, "it can actually hurt you, because then you have the regulators coming in and looking at you" whether or not there was a material threat.
Industry sources also worry that unlike the FFIEC's self-assessment tool, New York's proposal takes a one-size-fits-all approach that could disadvantage community banks and other smaller institutions.
"The FFIEC tool is really a risk-based tool and it specifically looks for institutions to implement cybersecurity controls that are commensurate with their level of risk exposure," said Kevin Petrasic, a partner at White & Case. With the New York plan, an institution with a "fairly minimal risk exposure from a cybersecurity perspective may still have a [strong] cybersecurity burden."
For instance, smaller institutions are likely to have a harder time hiring a qualified chief information security officer than larger banks.
"There is not an infinite pool of qualified individuals" seeking out CISO positions, Petrella said. Finding one is "going to be doubly difficult for smaller institutions."
And in order to comply with that requirement, smaller banks will likely have to reorganize their management structure.
In many banks, said Petrella, "you would see that the risk officer was also a security person as well." Having to hire a full-time chief information security officer will require banks to "really rethink how [they] approach [their] business."
Overall, the proposal could force all institutions, no matter how small, to ward off cybersecurity threats with the same weapons.
"What this represents is another example of technical best practices hardening into legal regulatory requirements," Pastore said.
Comments for the proposal are due at the end of October. "We're looking forward to receiving the comments and taking the time to review suggestions and present a final rule by the end of the year," said Richard Loconte, a spokesman for the regulator.