Should N.Y.'s strict cybersecurity rule be a model for the country?

WASHINGTON — The approaching deadline for New York State companies to comply with a stricter set of cybersecurity requirements is stoking a debate over whether the state's tough rule could be a model for federal regulators.

The New York State Department of Financial Services recently issued a statement warning firms that they have until Sept. 4 to be in compliance with the third phase of the cybersecurity rule that first took effect last year. Next month banks and other institutions must start encrypting nonpublic data and keeping "audit trails" to help manage the aftermath of a breach.

But with federal regulators signaling their interest to strengthen cybersecurity rules, many observers are asking whether New York's framework could provide a road map.

“The NYDFS cybersecurity regulations really were groundbreaking and they are serving as a model now for other legislative and regulatory” proposals, said Edward McAndrew, co-practice leader of the privacy and data security group and head of the national cyberincident response team at Ballard Spahr.

Maria Vullo
Maria Vullo, superintendent of the New York Department of Finance, listens during a Bloomberg Television interview in New York, U.S., on Thursday, Nov. 30, 2017. Vullo discussed the rapid growth of bitcoins and New York's lead in regulating bitcoin and cryptocurrencies. Photographer: Victor J. Blue/Bloomberg
Victor J. Blue/Bloomberg

While firms have been following the New York State rule since March 2017, some of the more advanced, stricter standards are taking effect next month. In addition to data encryption, they include having a “risk-based” system to monitor threats firms could face from anyone who can access their information systems, even when that access involves nonpublic data.

“New York stepped into the void and took decisive action to ensure appropriate minimum standards protecting financial institutions’ data systems, including consumers’ sensitive personal information,” NYDFS Superintendent Maria T. Vullo said in an Aug. 8 statement warning companies about the upcoming deadline.

For now, New York's approach is more prescriptive than elsewhere, but experts say the state's new set of rules is being put in practice just as other state and federal regulators weigh how to mitigate the threat of a massive cyberattack.

Federal regulators have recently said cybersecurity improvements are a priority.

“While we know that successful cyberattacks are often connected to poor basic information technology hygiene, and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber-events,” Randal Quarles, the Federal Reserve Board's vice chairman for supervision, said in a Feb. 26 speech in which he called for more collaboration on cyber rules.

“The Federal Reserve has been working with, and will continue to work with, other financial regulatory agencies on harmonizing cyber risk management standards and regulatory expectations across the financial services sector,” he added.

But some said New York’s cybersecurity rule is too prescriptive to be applied broadly at the federal level. They note that the state's stringent requirements risk locking firms in to a process that will limit their ability to fight changing risks in the future.

“We don’t expect this to be a model for the federal regulators,” said Kevin Toomey, an attorney in Arnold & Porter’s Washington office.

Still, regulators have often said recently they want to update cybersecurity requirements but have struggled to develop tangible policy, while emerging cyber risks have grown through the rapid expansion of online and mobile banking.

New York State has won praise in some quarters for trying to tackle the problem head on with the new regulation. In addition to the upcoming phase of compliance, covered companies face another March 2019 deadline for complying with aspects of the rule dealing with third-party service providers.

The NYDFS “really put some meat on the bones of what it means to take reasonable steps to safeguard information by laying out, in quite granular detail, the types of safeguards that need to be used just to meet the baseline,” McAndrew said.

But Toomey said federal regulators don't have to go as far because their current policies can allow them and institutions to respond to more fluid threats.

“The regulators continue every year to set cyber and operational risk as top priorities in supervision and examinations,” he said. “The existing rules on the books with regard to cybersecurity are sufficient for the regulators to keep those priorities.”

Still, with New York State already overseeing a significant slice of the industry, some companies not based there said they are already modeling their cybersecurity compliance on the higher bar set by that state.

But at the same time, many agree that technology is advancing so rapidly that any regulation that is too prescriptive could become outdated quickly.

“Cyberdefense technologies are constantly improving, and are prone to outpace regulatory changes,” said Sam Taussig, head of global policy at Kabbage, an international fintech company based in Atlanta. “That’s why it’s important regulators take a more measured, principles-based approach to regulation than it being too prescriptive.”

Even though the federal regulators have broader cybersecurity regulators than the specific framework developed in New York, sources said federal examiners can still take a more critical eye toward compliance during examinations.

Companies are also faced with keeping up against ever-advancing cyber threats to avoid a breach, which poses both regulatory and reputational risk. Because of this, many prefer to set a higher cybersecurity bar than that set in federal law.

“The NYDFS is taking a strong regulatory approach, but we don’t need that at the federal level because banks are already leading the way across all infrastructure” for cybersecurity, said Paul Benda, senior vice president for risk management policy at the American Bankers Association. “Cybercriminals don’t stand still and neither do banks as they harden themselves” against cyber threats.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Malware State regulators Randal Quarles NYDFS Federal Reserve
MORE FROM AMERICAN BANKER