Major banking and insurance industry groups are attacking New York’s proposed regulation requiring member companies to adopt stringent protections against cyberattacks that compromise consumers’ confidential information.
National groups including the Securities Industry and Financial Markets Association, the American Bankers Association, and the Financial Services Sector Coordinating Council have filed public comments that are critical of nearly every major aspect of the state’s cybersecurity plan.
The plan “appears to impose inflexible, one-size fits all requirements,” the coalition said. They said federal regulators and other standard-setting organizations had crafted rules that were based on risk analyses and allowed more flexible guidelines.
Banking and insurance groups also called the Jan. 1 effective date “unworkable.”
The proposal by the state Department of Financial Services, among the first of its kind by state regulators in the United States, calls for all state-regulated banks and insurers to self-evaluate their cybersecurity vulnerabilities each year, develop updated security plans, create an immediate response plan for security breaches, and designate a qualified employee to act as chief security officer.
The rules also require cybersecurity training for all employees at financial institutions and require them to report all attempted or successful cybersecurity breaches to the state within 72 hours of their discovery (NYLJ, Sept. 15).
Gov. Andrew Cuomo has lauded the plan as representing “decisive action” to protect consumers and financial institutions from cybercriminals and terrorists in a state that is a national financial industry center.
The department published its proposal on Sept. 28 and accepted public comments through Nov. 14. Unless significantly altered by superintendent Maria Vullo (NYLJ, Sept. 26), the mandate will take effect Jan. 1.
The department said it would not release public comments until officials review them to see if they inadvertently contain any “proprietary” financial industry information. But copies of comments solicited by the New York Law Journal from industry groups themselves revealed their overwhelmingly negative evaluations.
They almost uniformly complained that the regulations fail to provide a “risk-based” approach to combatting cyberattacks that takes into account where companies are most vulnerable, or provide the flexibility to apply the bulk of their resources to where the dangers of security breaches are worst.
In joint comments filed by eight influential financial services industry groups, the coalition said its members have sought to adhere to cybersecurity guidelines developed by the National Institute of Standards and Technology, the International Organization for Standardization and federal agencies, such as the Securities and Exchange Commission, the Federal Reserve and the Federal Deposit Insurance Corp.
The coalition said a hallmark of all other cybersecurity guidelines is that institutions are given flexibility to respond to weaknesses as they become apparent through risk-based analyses.
They argued that the New York plan does not do so.
“The requirements [outside New York], in other words, are flexible and adaptable based on an assessment of the level of risk and permit firms to target resources and controls based on their size and complexity, customers and counterparties, market interconnectedness, and the sensitivity of the information,” the groups said.
They called the effective date of Jan. 1 “impractical,” and said it would take a “year or multiple years” to implement even a modified version of the state cybersecurity proposals. They recommended delaying implementation until Jan. 1, 2018, with a one-year transition period to begin on that date.
The other groups joining in the comments were the Financial Services Roundtable, the Mortgage Bankers Association, the American Financial Services Association, the American Land Title Association and the New York Mortgage Bankers Association.
Another coalition, composed of 13 banking and insurance groups including the Independent Insurance Agents & Brokers of America, the Blue Cross Blue Shield Association and the American Council of Life Insurers, complained that parts of the state proposal are “practically unworkable or technically infeasible.”
They cited requirements that institutions maintain audit trails allowing for reconstructing all financial transactions going back six years and for “timely” destruction of all non-public information as mandates with which institutions would struggle to comply if implemented in New York.
The banking and insurance groups also took issue with the requirement that institutions report every actual or attempted cyberbreach within 72 hours. They said the department’s definition of such a “cybersecurity event” could include routine network financial activity or human errors that involve no actual threat to confidential information.
The 13 groups also argued for a two-year delay in introducing cybersecurity rules to give companies time to prepare.
In a separate comment to the department, the New York Insurance Association objected to the “one-size-fits-all” nature of the proposal, arguing that cybersecurity threats and protections are vastly different for insurers writing less than $1 million a year in premiums, for instance, and those writing in excess of $2 billion a year.
The association, which represents property and casualty insurance industry in New York, said the regulations seem to be premised on the misconception that only consumers, and not the financial institutions themselves, suffer in cybersecurity breaches.
“Its provisions reflect an attitude that a breach in a company’s computer system is the fault of the company,” New York Insurance Association President Ellen Mechionni told the department. “It must be kept in mind that a company who suffers a cyber breach is almost always a victim of malicious behavior committed by bad actors.”
The Department of Financial Services said in a statement Wednesday that it is “thoroughly reviewing the comments submitted, as well as the feedback that we have received through our outreach with stakeholders.”
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.