In a joint letter with twelve other financial and insurance groups today, ABA raised concerns about a new set of cybersecurity regulations proposed by the New York Department of Financial Services. The proposed rules require New York-chartered financial institutions to establish a cybersecurity program with written policies and procedures, designate a chief information security officer and meet a number of additional requirements including annual penetration testing, periodic reviews of access privileges and annual risk assessments. The proposal is the first of its kind from a state-level regulator and could set precedents for other states.
The groups took issue with the NYDFS’ “one-size-fits-all” approach, noting that the requirements fail to account for variations in the business models, IT system structures or risk profiles of the institutions they affect. They further pointed out that the rules impose unclear and unworkable requirements, and that the over-broad nature of the proposal could lead to reporting requirements being triggered too easily, adding a significant operational burden.
Among other things, the groups urged NYDFS to take a more risk-based approach that would provide institutions with greater flexibility, and include a materiality standard and harm trigger in its definition of “cybersecurity event.” They also called for an extension of the compliance date from 180 days to two years.