Regulation should always be a last resort. Too many rules — or lack of coordination between federal, state and industry rules — can do more harm than good. But there are also times when minimum requirements make sense. When done right and in the right circumstances, rules can protect consumers and businesses.
New York's new cybersecurity rules, currently in draft form, fall somewhere in between these two categories. On one hand, the ever-increasing amount of cyberattacks on financial institutions proves the industry needs minimum standards. On the other hand, the New York State financial regulators must change some of the specific requirements so that banks can avoid spending more time on compliance paperwork than actual security.
Critics of the proposed rules have argued that big institutions already comply with a number of similar federal cybersecurity laws and industry-wide standards — like those from the Securities and Exchange Commission and Federal Financial Institutions Examinations Council — and that smaller institutions will face most of the compliance burden. Some of these concerns are legitimate.
Two particular requirements, while well-intentioned, fail to reflect the reality of how banks operate: that institutions report any attempted attack within 72 hours, and that they encrypt all non-public data.
Some large banks see thousands of attempted hacks a day and manage huge amounts of data — much of which present no risk. Not only is it impractical to ask them to report every attempted intrusion and encrypt every bit of non-public data, without regard for risk and compensating controls, but it is also potentially counterproductive. It could divert limited resources from more valuable protection measures. We encourage the New York State financial regulators to take these concerns seriously as they finalize the rules. The state regulatory agency should lighten the reporting load, where appropriate, through consolidation with other existing regulatory requirements.
If modified, these minimum standards are a step in the right direction. Any organization licensed by the New York State Department of Financial Services, from the smallest community lender to national behemoths, will now have to designate a chief information security officer, oversee third-party service providers' cybersecurity practices and have the chair of the board (or another senior executive) annually certify compliance. Some of these new requirements will add a cost burden — especially on smaller organizations — but they are worthwhile efforts. In the long term, they could save banks money by reducing intrusions and lowering the damage when they do happen.
In fact, it should be concerning that such practices need to be mandated. Much of the proposal — like establishing a cybersecurity program, instituting multi-factor authentication and training employees — draws heavily from common sense or existing best practices that have been in existence for a decade and that most banks have already implemented.
The fact that such requirements are needed is a reminder that some in the banking industry, a group long recognized as leaders in information security, struggle to meet even basic security standards.
To be sure, there are limits to what regulation can accomplish. At a recent cybersecurity summit, U.S. Commerce Secretary Penny Pritzker said that the government "cannot regulate cyber risk out of existence." This is true. And there are other government measures that are voluntary and risk-based. This includes the National Institute of Standards and Technology's cybersecurity framework, which is helping businesses across the nation reduce their risk to cyber intrusions.
But for an industry that holds millions of consumers' valuable data and money and is regularly targeted by hackers, minimum standards like New York's have proven necessary. Not only will the rules help protect consumers, but they will also help financial institutions — even if it requires an initial upfront investment.
David Damato is chief security officer at Tanium, where he provides strategic product direction over module development for the Tanium Platform and manages the company's internal security program. He can be reached on Twitter @ArigatoDamato.